diff --git a/.gitignore b/.gitignore index af4dfdc..3755252 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ npm-debug.log* yarn-debug.log* yarn-error.log* lerna-debug.log* +testing # Diagnostic reports (https://nodejs.org/api/report.html) report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json diff --git a/WARP/devops/testing/All-Plus-Advisor.csv b/WARP/devops/testing/All-Plus-Advisor.csv deleted file mode 100644 index 2ed5e27..0000000 --- a/WARP/devops/testing/All-Plus-Advisor.csv +++ /dev/null @@ -1,1127 +0,0 @@ -AzAdv25Jan,,,,, -,,,,, -Recommendations for your workload,,,,, -Your overall results,Critical,'0/100',,, -Reliability,Critical,'0/100',,, -Security,Critical,'0/100',,, -Cost Optimization,Critical,'0/100',,, -Operational Excellence,Critical,'0/100',,, -Performance Efficiency,Critical,'0/100',,, -WAF Configuration,Not assessed,,,, -Reliability - Azure Machine Learning,Not assessed,,,, -Security - Azure Machine Learning,Not assessed,,,, -Cost Optimization - Azure Machine Learning,Not assessed,,,, -Operational Excellence - Azure Machine Learning,Not assessed,,,, -Performance Efficiency - Azure Machine Learning,Not assessed,,,, -Reliability - Data Management,Not assessed,,,, -Security - Data Management,Not assessed,,,, -Cost Optimization - Data management,Not assessed,,,, -Operational Excellence - Data Management,Not assessed,,,, -Performance Efficiency - Data Management,Not assessed,,,, -,,,,, -Next Steps,,,,, -Review identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,,,, -Define RPO and RTO for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,,,, -Review limits,https://docs.microsoft.com/azure/architecture/framework/DevOps/app-design#limits,,,, -,,,,, -Category,Link-Text,Link,Priority,ReportingCategory,ReportingSubcategory,Weight,Context -Reliability,Upgrade the standard disks attached to your premium-capable VM to premium disks for 2 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Upgrade to the latest version of the Azure Connected Machine agent for 7 Machine(s) - Azure Arc,https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Enable Cross Region Restore for your recovery Services Vault for 2 MICROSOFT.RECOVERYSERVICES/VAULTS,https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Enable Backups on your Virtual Machines for 25 Virtual machine(s) (classic),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Upgrade to the latest agent version of Azure Arc-enabled Kubernetes for 1 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS,https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Pod Disruption Budgets Recommended for 1 Kubernetes service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Azure WAF RuleSet CRS 3.1/3.2 has been updated with log4j2 vulnerability rule for 1 Application gateway(s),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Additional protection to mitigate Log4j2 vulnerability (CVE-2021-44228) for 1 Application gateway(s),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Avoid hostname override to ensure site integrity for 1 Application gateway(s),https://aka.ms/azure-advisor-portal,High,,,0, -Reliability,Identify distinct workloads,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design#considerations-for-improving-reliability,High,Application Design,Design,99,Identify distinct workloads -Reliability,Identify SLAs for 3rd party dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,High,Application Design,Targets & Non-Functional Requirements,95,Identify SLAs for 3rd party dependencies -Reliability,Compute a composite SLA for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#understand-service-level-agreements,High,Application Design,Targets & Non-Functional Requirements,95,Compute a composite SLA for your workload -Reliability,Have clearly defined availability targets,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#workload-availability-targets,High,Application Design,Targets & Non-Functional Requirements,95,Have clearly defined availability targets -Reliability,Identify recovery targets for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,High,Application Design,Targets & Non-Functional Requirements,90,Identify recovery targets for your workload -Reliability,Decouple the lifecycle of the application from its dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,High,Application Design,Dependencies,85,Decouple the lifecycle of the application from its dependencies -Reliability,Perform a failure mode analysis,https://docs.microsoft.com/azure/architecture/resiliency/failure-mode-analysis,High,Application Design,Failure Mode Analysis,85,Perform a failure mode analysis -Reliability,Use semantic logs and metrics,https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview,High,Health Modeling & Monitoring,Monitoring and Measurement,84,Use semantic logs and metrics -Reliability,Correlate logs across workload tiers,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#analyzing-data-and-diagnosing-issues,High,Health Modeling & Monitoring,Application Level Monitoring,80,Correlate logs across workload tiers -Reliability,Collect and store logs and key metrics of critical components,https://docs.microsoft.com/azure/architecture/framework/Resiliency/monitoring#instrumentation,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Collect and store logs and key metrics of critical components -Reliability,Monitor long-running workflows for failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/monitoring#long-running-workflow-failures,High,Application Design,Transactional,80,Monitor long-running workflows for failures -Reliability,Measure and monitor key availability targets,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#availability-metrics,High,Application Design,Targets & Non-Functional Requirements,80,Measure and monitor key availability targets -Reliability,Plan for dependent service outages,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#dependent-service-outage,High,Application Design,Dependencies,79,Plan for dependent service outages -Reliability,Create a disaster recovery plan,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#disaster-recovery-plan,High,Application Design,Design,79,Create a disaster recovery plan -Reliability,Create a backup strategy,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#backup-strategy,High,Data Platform Availability,Replication and Redundancy,79,Create a backup strategy -Reliability,Document regional failure plan,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#plan-for-regional-failures,High,Application Platform Availability,Compute Availability,79,Document regional failure plan -Reliability,Develop a plan for region/zone/network outages,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#network-outage,High,Application Design,Design,79,Develop a plan for region/zone/network outages -Reliability,Create a data restoration plan,https://docs.microsoft.com/azure/architecture/reliability/architect#manage-your-data,High,Data Platform Availability,Replication and Redundancy,79,Create a data restoration plan -Reliability,Operate your workload in multiple regions,https://docs.microsoft.com/azure/availability-zones/az-overview,High,Application Design,Design,77,Operate your workload in multiple regions -Reliability,Use high availability offerings for platform services,https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability,High,Application Platform Availability,Service SKU,77,Use high availability offerings for platform services -Reliability,Validate Availability Zones are in required regions,https://docs.microsoft.com/azure/availability-zones/az-region,High,Capacity & Service Availability Planning,Service Availability,77,Validate Availability Zones are in required regions -Reliability,Deploy to multiple availability zones,https://docs.microsoft.com/azure/availability-zones/az-overview#availability-zones,High,Application Design,Design,75,Deploy to multiple availability zones -Reliability,Detect and remediate faults through chaos engineering,https://docs.microsoft.com/azure/architecture/framework/resiliency/chaos-engineering,Medium,Deployment & Testing,Testing & Validation,57,Detect and remediate faults through chaos engineering -Reliability,Perform chaos testing by injecting faults,https://docs.microsoft.com/azure/architecture/framework/Resiliency/testing#fault-injection-testing,Medium,Deployment & Testing,Testing & Validation,57,Perform chaos testing by injecting faults -Reliability,Test under expected peak load,https://docs.microsoft.com/azure/architecture/framework/Resiliency/testing#test-under-peak-loads,Medium,Deployment & Testing,Testing & Validation,57,Test under expected peak load -Reliability,Have redundant network connections to on-prem data sources,https://docs.microsoft.com/azure/expressroute/cross-network-connectivity,Medium,Networking & Connectivity,Connectivity,55,Have redundant network connections to on-prem data sources -Reliability,Simulate a failure path for cross premise connectivity,https://docs.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering,Medium,Networking & Connectivity,Connectivity,55,Simulate a failure path for cross premise connectivity -Reliability,Load balance traffic across availability zones,https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones,Medium,Networking & Connectivity,Connectivity,54,Load balance traffic across availability zones -Reliability,Manage load balancer connections to avoid port exhaustion,https://docs.microsoft.com/azure/load-balancer/load-balancer-outbound-connections#scenarios,Medium,Application Performance Management,Network Throughput and Latency,54,Manage load balancer connections to avoid port exhaustion -Reliability,Create application specific health probes,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#application-health-probes,Medium,Networking & Connectivity,Zone-Aware Services,54,Create application specific health probes -Reliability,Implement load balancing,https://docs.microsoft.com/azure/architecture/guide/technology-choices/load-balancing-overview,Medium,Networking & Connectivity,Connectivity,54,Implement load balancing -Reliability,Plan for expected usage patterns,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity#preemptively-scaling-based-on-trends,Medium,Application Design,Targets & Non-Functional Requirements,54,Plan for expected usage patterns -Reliability,Backup keys and secrets in a geo-redudant way,https://docs.microsoft.com/azure/key-vault/general/disaster-recovery-guidance,Medium,Operational Procedures,Configuration & Secrets Management,53,Backup keys and secrets in a geo-redudant way -Reliability,Automate key rotation,https://docs.microsoft.com/azure/key-vault/secrets/key-rotation-log-monitoring,Medium,Operational Procedures,Configuration & Secrets Management,53,Automate key rotation -Reliability,Put operational procedures into place for if data size exceeds limits,https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#managing-limits,Medium,Application Performance Management,Data Size/Growth,52,Put operational procedures into place for if data size exceeds limits -Reliability,Automatically test your failover and failback process,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#failover-and-failback-testing,Medium,Operational Procedures,Recovery & Failover,51,Automatically test your failover and failback process -Reliability,Automate your tests,https://docs.microsoft.com/azure/architecture/framework/devops/testing#automated-testing,Medium,Deployment & Testing,Testing & Validation,51,Automate your tests -Reliability,Segregate read operations from update operations,https://docs.microsoft.com/azure/architecture/patterns/cqrs,Medium,Application Design,Design,50,Segregate read operations from update operations -Reliability,Archive application configuration and installation information,https://docs.microsoft.com/azure/architecture/patterns/external-configuration-store#custom-backing-store-example,Medium,Operational Procedures,Configuration & Secrets Management,50,Archive application configuration and installation information -Reliability,Implement request timeouts,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#request-timeouts,Medium,Application Design,Design,50,Implement request timeouts -Reliability,Implement retry logic to handle transient failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#handling-transient-failures,Medium,Application Design,Design,50,Implement retry logic to handle transient failures -Reliability,Architect storage for resiliency,https://docs.microsoft.com/azure/architecture/framework/Resiliency/data-management#storage-resiliency,Medium,Data Platform Availability,Service SKU,50,Architect storage for resiliency -Reliability,Implement resiliency strategies in your workload,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#build-resiliency-with-failure-mode-analysis,Medium,Application Design,Design,50,Implement resiliency strategies in your workload -Reliability,Implement application throttling,https://docs.microsoft.com/azure/architecture/patterns/throttling,Medium,Application Design,Design,50,Implement application throttling -Reliability,Decouple your application services,https://docs.microsoft.com/azure/architecture/guide/design-principles/minimize-coordination,Medium,Application Design,Targets & Non-Functional Requirements,50,Decouple your application services -Reliability,Store session state in an external data store,https://docs.microsoft.com/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/web-development-best-practices,Medium,Operational Procedures,Configuration & Secrets Management,50,Store session state in an external data store -Reliability,Avoid session state,https://docs.microsoft.com/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/web-development-best-practices#sessionstate,Medium,Operational Procedures,Configuration & Secrets Management,50,Avoid session state -Reliability,Distribute data geographically,https://docs.microsoft.com/azure/architecture/framework/Resiliency/data-management#distribute-data-geographically,Medium,Application Design,Design,50,Distribute data geographically -Reliability,Create health probes that validate data consistency,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#create-good-health-probes,Medium,Networking & Connectivity,Connectivity,50,Create health probes that validate data consistency -Security,Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure VPC flow logging is enabled in all VPCs for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,"Ensure a log metric filter and alarm exist for usage of ""root"" account for 1 AWS resource(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,SQL servers should have an Azure Active Directory administrator provisioned for 1 SQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Secure transfer to storage accounts should be enabled for 8 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Unused IAM user credentials should be removed for 6 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,IAM user credentials should be disabled if not used within a pre-defined number days for 6 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Diagnostic logs in App Service should be enabled for 2 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Function apps should have Client Certificates (Incoming client certificates) enabled for 6 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled for all IAM users that have a console password for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Python should be updated to the latest version for function apps for 2 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure credentials unused for 90 days or greater are disabled for 6 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled for all IAM users for 10 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure access keys are rotated every 90 days or less for 7 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 Block Public Access setting should be enabled at the bucket level for 9 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should not have a public IP address for 6 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Security groups should not allow ingress from 0.0.0.0/0 to port 22 for 8 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should use IMDSv2 for 6 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Security groups should only allow unrestricted incoming traffic for authorized ports for 10 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled for all IAM users for 10 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Password policies for IAM users should have strong configurations for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Security groups should not allow unrestricted access to ports with high risk for 10 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Attached EBS volumes should be encrypted at-rest for 6 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,VPC flow logging should be enabled in all VPCs for 20 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 buckets should have server-side encryption enabled for 9 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Amazon SQS queues should be encrypted at rest for 6 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,SSM agent should be installed on your AWS EC2 instances for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,CloudTrail should have encryption at-rest enabled for 2 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 subnets should not automatically assign public IP addresses for 65 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure IAM password policy requires at least one number for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for AWS Config configuration changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for route table changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for unauthorized API calls for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,SNS topics should be encrypted at rest using AWS KMS for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Web Application should only be accessible over HTTPS for 3 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for AWS Management Console authentication failures for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Network traffic data collection agent should be installed on Windows virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for changes to network gateways for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Machines should have a vulnerability assessment solution for 20 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure IAM password policy requires at least one lowercase letter for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs for 2 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Amazon EC2 should be configured to use VPC endpoints for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,The VPC default security group should not allow inbound and outbound traffic for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Attached EBS volumes should be encrypted at-rest for 5 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,CloudTrail logs should be encrypted at rest using AWS KMS CMKs for 2 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,VPC default security group should prohibit inbound and outbound traffic for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for IAM policy changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,IAM users' access keys should be rotated every 90 days or less for 7 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for CloudTrail configuration changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure IAM password policy requires at least one symbol for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for security group changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EBS default encryption should be enabled for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Web apps should request an SSL certificate for all incoming requests for 3 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Private endpoint should be configured for Key Vault for 14 Key vault(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Windows Defender Exploit Guard should be enabled on machines for 21 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure IAM password policy requires minimum password length of 14 or greater for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Guest Configuration extension should be installed on machines for 5 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for S3 bucket policy changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure a log metric filter and alarm exist for VPC changes for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Managed identity should be used in web apps for 3 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure IAM password policy requires at least one uppercase letter for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Lambda functions should have a dead-letter queue configured for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Network traffic data collection agent should be installed on Linux virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with write permissions on subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with read permissions should be removed from your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,A maximum of 3 owners should be designated for subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with read permissions on your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Deprecated accounts should be removed from subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with owner permissions should be removed from subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with owner permissions should be removed from your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed for 1 Microsoft.kubernetes/connectedclusters,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Deprecated accounts should be removed from your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with write permissions should be removed from your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with read permissions on subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with read permissions should be removed from subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with owner permissions on your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Container registries should use private link for 1 Container registry(ies),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Container registries should not allow unrestricted network access for 1 Container registry(ies),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity for 1 Microsoft.Compute/virtualMachines/extensions,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Validity period of certificates stored in Azure Key Vault should not exceed 12 months for 1 Key vault(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Authentication to Linux machines should require SSH keys for 6 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Endpoint protection health issues on machines should be resolved for 6 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Log Analytics agent should be installed on virtual machines for 5 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Kubernetes API server should be configured with restricted access for 1 Kubernetes service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines for 4 Machine(s) - Azure Arc,https://aka.ms/azure-advisor-portal,High,,,0, -Security,CloudTrail logs should be encrypted at rest using KMS CMKs for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,RDS automatic minor version upgrades should be enabled for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure rotation for customer created CMKs is enabled for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Database logging should be enabled for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,RDS DB instances should have encryption at rest enabled for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,RDS DB instances should be configured with multiple Availability Zones for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,IAM authentication should be configured for RDS instances for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,External accounts with write permissions should be removed from subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password for 4 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,SQL servers on machines should have vulnerability findings resolved for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with write permissions on your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Storage account should use a private link connection for 39 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should be managed by AWS Systems Manager for 4 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Storage account public access should be disallowed for 33 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Private endpoint connections on Azure SQL Database should be enabled for 6 SQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 buckets should require requests to use Secure Socket Layer for 11 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,KeyVault HoneyTokens for 13 resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Storage accounts should restrict network access using virtual network rules for 40 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure access keys are rotated every 90 days or less for 7 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure credentials unused for 90 days or greater are disabled for 6 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Amazon EC2 should be configured to use VPC endpoints for 20 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Public network access on Azure SQL Database should be disabled for 7 SQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure that multi-factor authentication is enabled for all non-service accounts for 1 GCP resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Container registry images should have vulnerability findings resolved for 1 Container registry(ies),https://aka.ms/azure-advisor-portal,High,,,0, -Security,SQL servers should have vulnerability assessment configured for 3 SQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,All network ports should be restricted on network security groups associated to your virtual machine for 4 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Adaptive network hardening recommendations should be applied on internet facing virtual machines for 4 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Management ports of virtual machines should be protected with just-in-time network access control for 4 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Management ports of EC2 instances should be protected with just-in-time network access control for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Internet-facing virtual machines should be protected with network security groups for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should be connected to Azure Arc for 3 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 Block Public Access setting should be enabled for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Management ports should be closed on your virtual machines for 4 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Managed identity should be used in function apps for 3 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EBS default encryption should be enabled for 17 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Function App should only be accessible over HTTPS for 4 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure AWS Config is enabled in all regions for 16 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,IAM customer managed policies should not allow decryption actions on all KMS keys for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Application Load Balancer should be configured to redirect all HTTP requests to HTTPS for 2 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,GuardDuty should be enabled for 16 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,MFA should be enabled on accounts with owner permissions on subscriptions for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Do not setup access keys during initial user setup for all IAM users that have a console password for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,SNS topics should be encrypted at rest using AWS KMS for 1 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Automation account variables should be encrypted for 1 Microsoft.Automation/automationAccounts/variables,https://aka.ms/azure-advisor-portal,High,,,0, -Security,Key Vault secrets should have an expiration date for 11 Microsoft.KeyVault.Data/vaults/secrets,https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should not have a public IP address for 5 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Adaptive application controls for defining safe applications should be enabled on your machines for 15 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Hardware MFA should be enabled for the root user for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Key vaults should have soft delete enabled for 2 Key vault(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Install endpoint protection solution on virtual machines for 13 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should use IMDSv2 for 5 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 for 2 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 buckets should require requests to use Secure Socket Layer for 5 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Firewall should be enabled on Key Vault for 14 Key vault(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Azure Machine Learning workspaces should use private link for 3 Microsoft.MachineLearningServices/workspaces,https://aka.ms/azure-advisor-portal,High,,,0, -Security,EC2 instances should be managed by AWS Systems Manager for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,RDS cluster snapshots and database snapshots should be encrypted at rest for 12 Microsoft.Security/awsResource,https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 Block Public Access setting should be enabled for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Key vaults should have purge protection enabled for 15 Key vault(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Security groups should not allow ingress from 0.0.0.0/0 to port 22 for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,System updates should be installed on your machines for 3 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,FTPS should be required in web apps for 3 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,"A log metric filter and alarm should exist for usage of the ""root"" user for 1 AWS resource(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,Virtual MFA should be enabled for the root user for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Windows web servers should be configured to use secure communication protocols for 3 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,S3 buckets should have server-side encryption enabled for 4 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,"Ensure hardware MFA is enabled for the ""root"" account for 1 AWS resource(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,"Ensure MFA is enabled for the ""root"" account for 1 AWS resource(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources for 26 Virtual machine(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,"Avoid the use of the ""root"" account for 1 AWS resource(s)",https://aka.ms/azure-advisor-portal,High,,,0, -Security,Endpoint protection health issues on machines should be resolved for 2 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,VPC flow logging should be enabled in all VPCs for 3 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Password policies for IAM users should have strong configurations for 1 AWS resource(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,FTPS should be required in function apps for 6 App service(s),https://aka.ms/azure-advisor-portal,High,,,0, -Security,Implement threat protection for the workload,https://docs.microsoft.com/azure/security-center/azure-defender,High,Application Design,Threat Analysis,100,Implement threat protection for the workload -Security,Configure emergency access accounts,https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access,High,Operational Model & DevOps,Roles & Responsibilities,100,Configure emergency access accounts -Security,Implement security strategy to contain attacker access,https://docs.microsoft.com/azure/architecture/framework/security/resilience#containing-attacker-access,High,Application Design,Application Design,90,Implement security strategy to contain attacker access -Security,Implement established processes and timelines to deploy mitigations for identified threats,https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#3--mitigate-the-identified-threats,High,Application Design,Threat Analysis,90,Implement established processes and timelines to deploy mitigations for identified threats -Security,Scan container workloads for vulnerabilities,https://docs.microsoft.com/azure/security-center/container-security,High,Deployment & Testing,Testing & Validation,90,Scan container workloads for vulnerabilities -Security,Adopt a formal DevSecOps approach to building and maintaining software,https://docs.microsoft.com/azure/architecture/framework/security/deploy,High,Operational Model & DevOps,General,90,Adopt a formal DevSecOps approach to building and maintaining software -Security,Implement a branch policy strategy to enhance DevOps security,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Deployment & Testing,Application Code Deployments,90,Implement a branch policy strategy to enhance DevOps security -Security,Establish a detection and response strategy for identity risks,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#review-identity-risks,High,Health Modeling & Monitoring,Application Level Monitoring,90,Establish a detection and response strategy for identity risks -Security,Adopt a zero trust approach,https://docs.microsoft.com/azure/security/fundamentals/network-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#adopt-a-zero-trust-approach,High,Networking & Connectivity,Data flow,90,Adopt a zero trust approach -Security,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it",https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Connectivity,90,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it" -Security,Protect all public endpoints with appropriate controls,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#web-application-firewalls-wafs,High,Networking & Connectivity,Endpoints,90,Protect all public endpoints with appropriate controls -Security,Classify your data at rest and use encryption,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-at-rest,High,Security & Compliance,Encryption,90,Classify your data at rest and use encryption -Security,Implement Conditional Access Policies,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#enable-conditional-access,High,Security & Compliance,Authentication and authorization,90,Implement Conditional Access Policies -Security,Adopt threat modeling processes,https://docs.microsoft.com/azure/security/develop/threat-modeling-tool-threats,High,Application Design,Threat Analysis,90,Adopt threat modeling processes -Security,Establish a security operations center (SOC),https://docs.microsoft.com/azure/architecture/framework/security/security-operations,High,Operational Procedures,Incident Response,90,Establish a security operations center (SOC) -Security,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security,https://docs.microsoft.com/azure/architecture/framework/Security/governance#manage-connected-tenants,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security -Security,Discover and remediate common risks to improve Secure Score in Azure Security Center,https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-remediate-common-risks,High,Security & Compliance,Security Center,70,Discover and remediate common risks to improve Secure Score in Azure Security Center -Security,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team,https://docs.microsoft.com/azure/governance/policy/overview,High,Security & Compliance,Compliance,70,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team -Security,Conduct periodic access reviews for the workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#enforce-policy-compliance,High,Security & Compliance,Control-plane RBAC,70,Conduct periodic access reviews for the workload -Security,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs,https://docs.microsoft.com/azure/architecture/framework/security/deploy-infrastructure#build-environments,High,Deployment & Testing,Build Environments,70,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs -Security,Involve the security team in the development process,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/security-governance-and-compliance#service-enablement-framework,High,Operational Model & DevOps,Roles & Responsibilities,70,Involve the security team in the development process -Security,Clearly define CI/CD roles and permissions,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#minimize-access,High,Operational Model & DevOps,Roles & Responsibilities,70,Clearly define CI/CD roles and permissions -Security,Review and consider elevated security capabilities for Azure workloads,https://azure.microsoft.com/solutions/confidential-compute/,High,Governance,Standards,70,Review and consider elevated security capabilities for Azure workloads -Security,Integrate code scanning tools within CI/CD pipeline,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#credential-scanning,High,Deployment & Testing,Application Code Deployments,70,Integrate code scanning tools within CI/CD pipeline -Security,Configure quality gate approvals in DevOps release process,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Operational Model & DevOps,Roles & Responsibilities,70,Configure quality gate approvals in DevOps release process -Security,"Remove platform-specific information from HTTP headers, error messages, and web site content",https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#configuration-security,High,Application Design,Design,70,"Remove platform-specific information from HTTP headers, error messages, and web site content" -Security,Establish lifecycle management policy for critical accounts,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#authorization-for-critical-accounts,High,Security & Compliance,Separation of duties,70,Establish lifecycle management policy for critical accounts -Security,Use service endpoints and private links where appropriate,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints,High,Networking & Connectivity,Connectivity,70,Use service endpoints and private links where appropriate -Security,Use penetration testing and red team exercises to validate security defenses for this workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,High,Deployment & Testing,Testing & Validation,70,Use penetration testing and red team exercises to validate security defenses for this workload -Security,Establish an incident response plan and perform periodically a simulated execution,https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf,High,Operational Procedures,Incident Response,70,Establish an incident response plan and perform periodically a simulated execution -Security,"Develop and implement a process to track, triage, and address threats into the application development lifecycle",https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#1--gather-information-about-the-basic-security-controls,High,Application Design,Threat Analysis,70,"Develop and implement a process to track, triage, and address threats into the application development lifecycle" -Security,Standardize on modern authentication protocols,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection,High,Security & Compliance,Authentication and authorization,70,Standardize on modern authentication protocols -Security,Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/,High,Operational Procedures,Configuration & Secrets Management,70,Use Managed Identities for authentication to other Azure platform services -Security,Automatically remove/obfuscate personally identifiable information (PII) for this workload,https://docs.microsoft.com/azure/search/cognitive-search-skill-pii-detection,High,Health Modeling & Monitoring,Application Level Monitoring,70,Automatically remove/obfuscate personally identifiable information (PII) for this workload -Security,Designate the parties responsible for specific functions in Azure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-role-definitions,High,Operational Model & DevOps,Roles & Responsibilities,70,Designate the parties responsible for specific functions in Azure -Security,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure,High,Operational Model & DevOps,Roles & Responsibilities,70,Implement just-in-time privileged access management -Security,Define an access model for keys and secrets,https://docs.microsoft.com/azure/key-vault/general/secure-your-key-vault,High,Operational Procedures,Configuration & Secrets Management,70,Define an access model for keys and secrets -Security,Implement a landing zone concept with Azure Blueprints and Azure Policies,https://docs.microsoft.com/azure/architecture/framework/Security/governance#increase-automation-with-azure-blueprints,High,Application Design,Dependencies,70,Implement a landing zone concept with Azure Blueprints and Azure Policies -Security,Use only secure hash algorithms (SHA-2 family),https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-replace-insecure-protocols,High,Security & Compliance,Encryption,70,Use only secure hash algorithms (SHA-2 family) -Security,Periodically perform external and/or internal workload security audits,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#review-critical-access,High,Security & Compliance,Compliance,70,Periodically perform external and/or internal workload security audits -Security,"Review, prioritize, and proactively apply security best practices to cloud resources",https://docs.microsoft.com/azure/architecture/framework/Security/governance#prioritize-security-best-practices-investments,High,Application Design,Security Criteria & Data Classification,70,"Review, prioritize, and proactively apply security best practices to cloud resources" -Security,Develop a security plan,https://docs.microsoft.com/azure/cloud-adoption-framework/get-started/security#step-3-develop-a-security-plan,High,Application Design,Security Criteria & Data Classification,70,Develop a security plan -Security,Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration,https://docs.microsoft.com/azure/architecture/framework/security/design-network-flow#data-exfiltration,High,Networking & Connectivity,Connectivity,70,Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration -Security,Use NSG or Azure Firewall to protect and control traffic within VNETs,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,High,Networking & Connectivity,Connectivity,70,Use NSG or Azure Firewall to protect and control traffic within VNETs -Security,Establish a unified enterprise segmentation strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Networking & Connectivity,Connectivity,70,Establish a unified enterprise segmentation strategy -Security,Establish security benchmarking using Azure Security Benchmark to align with industry standards,https://docs.microsoft.com/azure/architecture/framework/Security/governance#evaluate-security-using-benchmarks,High,Application Design,Threat Analysis,70,Establish security benchmarking using Azure Security Benchmark to align with industry standards -Security,Protect workload publishing methods and restrict those not in use,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Endpoints,70,Protect workload publishing methods and restrict those not in use -Security,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring",https://docs.microsoft.com/azure/architecture/framework/Security/governance#remove-virtual-machine-vm-direct-internet-connectivity,High,Networking & Connectivity,Endpoints,70,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring" -Security,Mitigate DDoS attacks,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#mitigate-ddos-attacks,High,Networking & Connectivity,Endpoints,70,Mitigate DDoS attacks -Security,Implement a solution to configure unique local admin credentials,https://docs.microsoft.com/azure/automation/update-management/overview,High,Operational Procedures,Patch & Update Process (PNU),70,Implement a solution to configure unique local admin credentials -Security,Establish a designated group responsible for central network management,https://docs.microsoft.com/azure/architecture/framework/security/design-segmentation#functions-and-teams,High,Security & Compliance,Network Security,70,Establish a designated group responsible for central network management -Security,Integrate network logs into a Security Information and Event Management (SIEM),https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#leverage-native-detections-and-controls,High,Security & Compliance,Network Security,70,Integrate network logs into a Security Information and Event Management (SIEM) -Security,Build a security containment strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Security & Compliance,Network Security,70,Build a security containment strategy -Security,Deprecate legacy network security controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#discontinue-legacy-network-security-technology,High,Security & Compliance,Network Security,70,Deprecate legacy network security controls -Security,Implement lifecycle management process for SSL/TLS certificates,https://docs.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates,High,Operational Procedures,Configuration & Secrets Management,70,Implement lifecycle management process for SSL/TLS certificates -Security,Define security requirements for the workload,https://docs.microsoft.com/azure/governance/policy/concepts/azure-security-benchmark-baseline,High,Application Design,Threat Analysis,70,Define security requirements for the workload -Security,Data in transit should be encrypted at all points to ensure data integrity,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit,High,Security & Compliance,Encryption,70,Data in transit should be encrypted at all points to ensure data integrity -Security,"Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks",https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-classification,High,Security & Compliance,Encryption,70,"Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks" -Security,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Security,Follow DevOps security guidance and automation for securing applications,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code,High,Operational Model & DevOps,General,70,Follow DevOps security guidance and automation for securing applications -Security,Evolve security beyond network controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#evolve-security-beyond-network-controls,High,Security & Compliance,Network Security,70,Evolve security beyond network controls -Security,Establish a process for key management and automatic key rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,Establish a process for key management and automatic key rotation -Security,Maintain a list of frameworks and libraries as part of the application inventory,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,60,Maintain a list of frameworks and libraries as part of the application inventory -Security,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#rollback-and-roll-forward,Medium,Deployment & Testing,Application Code Deployments,60,Implement automated deployment process with rollback/roll-forward capabilities -Security,Implement security playbooks for incident response,https://docs.microsoft.com/azure/security-center/workflow-automation,Medium,Operational Procedures,Incident Response,60,Implement security playbooks for incident response -Security,Regularly simulate attacks against critical accounts,https://docs.microsoft.com/azure/architecture/framework/Security/critical-impact-accounts#attack-simulation-for-critical-impact-accounts,Medium,Deployment & Testing,Testing & Validation,60,Regularly simulate attacks against critical accounts -Security,Develop a security training program,https://www.microsoft.com/itshowcase/blog/how-microsoft-is-transforming-its-approach-to-security-training/,Medium,Operational Model & DevOps,Roles & Responsibilities,60,Develop a security training program -Security,Ensure security team has Security Reader or equivalent to support all cloud resources in their purview,https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Medium,Security & Compliance,Control-plane RBAC,60,Ensure security team has Security Reader or equivalent to support all cloud resources in their purview -Security,"Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication",https://docs.microsoft.com/azure/architecture/framework/security/design-apps-considerations#use-azure-services-for-fundamental-components,Medium,Application Design,Design,60,"Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication" -Security,Identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,Medium,Application Design,Threat Analysis,60,Identify and classify business critical applications -Security,Configure web apps to reuse authentication tokens securely and handle them like other credentials,https://docs.microsoft.com/azure/active-directory/develop/msal-acquire-cache-tokens,Medium,Security & Compliance,Authentication and authorization,60,Configure web apps to reuse authentication tokens securely and handle them like other credentials -Security,Configure and collect network traffic logs,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#enable-network-visibility,Medium,Networking & Connectivity,Connectivity,60,Configure and collect network traffic logs -Security,Synchronize on-premises directory with Azure AD,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems,Medium,Security & Compliance,Authentication and authorization,60,Synchronize on-premises directory with Azure AD -Security,Use standard and recommended encryption algorithms,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#standard-encryption-algorithms,Medium,Security & Compliance,Encryption,60,Use standard and recommended encryption algorithms -Security,Leverage a cloud application security broker (CASB),https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security,Medium,Networking & Connectivity,Data flow,60,Leverage a cloud application security broker (CASB) -Security,Design virtual networks for growth,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,Medium,Security & Compliance,Network Security,60,Design virtual networks for growth -Security,"Add planning, testing, and validation rigor to the use of the root management group",https://docs.microsoft.com/azure/architecture/framework/security/design-management-groups#use-root-management-group-with-caution,Medium,Security & Compliance,Control-plane RBAC,60,"Add planning, testing, and validation rigor to the use of the root management group" -Security,Assign permissions based on management or resource groups,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#resource-based-authorization,Medium,Security & Compliance,Control-plane RBAC,60,Assign permissions based on management or resource groups -Security,Implement identity-based storage access controls,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#azure-encryption-features,Medium,Security & Compliance,Encryption,60,Implement identity-based storage access controls -Security,Identify technologies and frameworks used by the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Application Composition,50,Identify technologies and frameworks used by the application -Security,Implement role-based access control for application infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#roles-and-permission-assignment,Medium,Security & Compliance,Separation of duties,50,Implement role-based access control for application infrastructure -Security,Establish a SecOps team and monitor security related events,https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#incident-response,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Establish a SecOps team and monitor security related events -Security,"Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload",https://docs.microsoft.com/azure/security/fundamentals/encryption-models,Medium,Operational Procedures,Configuration & Secrets Management,50,"Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload" -Security,Continuously assess and monitor compliance,https://docs.microsoft.com/azure/security-center/security-center-compliance-dashboard#assess-your-regulatory-compliance,Medium,Security & Compliance,Compliance,50,Continuously assess and monitor compliance -Security,Make sure that all regulatory requirements are known and well understood,https://docs.microsoft.com/azure/architecture/framework/security/design-regulatory-compliance#gather-regulatory-requirements,Medium,Governance,Standards,50,Make sure that all regulatory requirements are known and well understood -Security,Make sure you understand the security features/capabilities available for each service and how they can be used in the solution,https://docs.microsoft.com/azure/architecture/framework/security/design-apps-services,Medium,Application Design,Application Composition,50,Make sure you understand the security features/capabilities available for each service and how they can be used in the solution -Security,Limit long-standing write access to production environments only to service principals,https://docs.microsoft.com/azure/architecture/framework/security/design-admins#no-standing-access--just-in-time-privileges,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Limit long-standing write access to production environments only to service principals -Security,Establish process and tools to manage privileged access with just-in-time capabilities,https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#lower-exposure-of-privileged-accounts,Medium,Security & Compliance,Separation of duties,50,Establish process and tools to manage privileged access with just-in-time capabilities -Security,Update frameworks and libraries as part of the application lifecycle,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,50,Update frameworks and libraries as part of the application lifecycle -Security,Use identity services instead of cryptographic keys when available,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#identity-based-access-control,Medium,Security & Compliance,Authentication and authorization,50,Use identity services instead of cryptographic keys when available -Security,Establish a designated point of contact to receive Azure incident notifications from Microsoft,https://docs.microsoft.com/azure/architecture/framework/Security/governance#assign-incident-notification-contact,Medium,Security & Compliance,Separation of duties,50,Establish a designated point of contact to receive Azure incident notifications from Microsoft -Security,Enforce password-less or Multi-factor Authentication (MFA),https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-passwordless-authentication,Medium,Security & Compliance,Authentication and authorization,50,Enforce password-less or Multi-factor Authentication (MFA) -Security,Use managed identity providers to authenticate to this workload,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,Medium,Security & Compliance,Authentication and authorization,50,Use managed identity providers to authenticate to this workload -Security,Restrict application infrastructure access to CI/CD only,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#application-deployment,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Restrict application infrastructure access to CI/CD only -Security,Implement resource locks to protect critical infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#management-locks,Medium,Security & Compliance,Control-plane RBAC,40,Implement resource locks to protect critical infrastructure -Security,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging,Low,Governance,Standards,30,Enforce naming conventions and resource tagging for all Azure resources -Security,Implement defenses that detect and prevent commodity attacks,https://docs.microsoft.com/azure/architecture/framework/security/resilience#increasing-attacker-cost,Low,Application Design,Security Criteria & Data Classification,30,Implement defenses that detect and prevent commodity attacks -Security,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#internet-edge-traffic,Low,Networking & Connectivity,Endpoints,30,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients -Security,"Define a process for aligning communication, investigation and hunting activities with the application team",https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Low,Health Modeling & Monitoring,Application Level Monitoring,30,"Define a process for aligning communication, investigation and hunting activities with the application team" -Cost Optimization,Use RBAC to contol access to dashboards and data,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs#provide-the-right-level-of-cost-access,High,Health Modeling & Monitoring,Dashboarding,90,"Are the dashboards openly available in your organization or do you limit access based on roles etc.? For example: developers usually don't need to know the overall cost of Azure for the company, but it might be good for them to be able to watch a particular workload." -Cost Optimization,Learn if there are any discounts available for the services already in use,https://azure.microsoft.com/en-us/pricing/,High,Governance,Licensing,90,When alternative cost options are considered it should be understood first if any special offers or deals are given for the existing SKUs to verify that the correct prices are being used to build a business case. -Cost Optimization,Consider reserved capacity for Storage,https://docs.microsoft.com/azure/storage/blobs/storage-blob-reserved-capacity,High,Capacity & Service Availability Planning,Efficiency,90,Azure Storage reserved capacity can significantly reduce your capacity costs for block blobs and Azure Data Lake Storage Gen2 data. You can purchase Azure Storage reserved capacity in units of 100 TiB and 1 PiB per month for a one-year or three-year term -Cost Optimization,Look for Public IPs and orphaned NICs,https://docs.microsoft.com/azure/virtual-machines/linux/find-unattached-nics,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,90,"When you delete a VM, some of the resources such as NICs or Managed Disks are not deleted by default. It is recommended to delete those resources if they are no longer needed." -Cost Optimization,Understand the Azure services used and cost implications,https://docs.microsoft.com/azure/architecture/framework/cost/design-initial-estimate,High,Application Design,Application Composition,90,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the application platform to host both application code and data. In a discussion around cost, this can drive decisions towards the right replacements (e.g. moving from Virtual Machines to containers to increase efficiency, or migrating to .NET Core to use cheaper SKUs etc.)." -Cost Optimization,Define a capacity model,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity,High,Application Design,Scalability & Capacity Model,90,Right sizing your infrastructure to meet the needs of your applications can save you considerably as opposed to a 'one size fits all' solution often employed with on-premises hardware. Identify the needs of your application and choose the resources that best fit those needs. -Cost Optimization,Consider utilizing disk bursting,https://docs.microsoft.com/azure/virtual-machines/disk-bursting,High,Capacity & Service Availability Planning,Efficiency,90,"Azure offers the ability to boost disk storage IOPS and MB/s performance. Consider using disk bursting for some scenarios such as improve startup times, handle back jobs, traffic spikes." -Cost Optimization,Separate data and log disks,https://docs.microsoft.com/sql/relational-databases/policy-based-management/place-data-and-log-files-on-separate-drives?view=sql-server-ver15,High,Application Design,Design,90,"Placing both data and log files on the same device can cause contention for that device, resulting in poor performance. Placing the files on separate drives allows the I/O activity to occur at the same time for both the data and log files." -Cost Optimization,Organize data into access tiers,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/storage-options,High,Application Design,Application Composition,90,"Azure offers multiple products and services for different storage capabilities. Review the different options available and decide which one is better for your workload. After you identify the Storage resources that best match your requirements, use the detailed documentation available to familiarize yourself with these services." -Cost Optimization,Differentiate between production and non-production configuration,https://docs.microsoft.com/azure/architecture/framework/cost/design-resources#subscription-and-offer-type,High,Application Design,Design,90,Azure usage rates and billing periods can vary depending on the subscription and offer type. Some subscription types also include usage allowances or lower prices. -Cost Optimization,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,High,Governance,Standards,90,Use tags on resources and resource groups to track the incurred costs. Identify the service meters that can't be tagged or viewed in the cost analysis tool in Azure portal. -Cost Optimization,Define performance requirements,https://docs.microsoft.com/azure/architecture/framework/cost/tradeoffs#cost-versus-performance-efficiency,High,Capacity & Service Availability Planning,Efficiency,90,"As you design the workload, identify the ideal ratio between cost and performance. Analyze and compare factors such as fixed or consumption-based resources, compare prices between different regions and understand if the performance of the application will be degraded if the resource is deployed in a regions that is cheaper." -Cost Optimization,Select the right operating system,https://docs.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree,High,Capacity & Service Availability Planning,Efficiency,90,"Analyze the technology stack and identify which workloads are capable of running on Linux and which require Windows. Linux-based VMs and App Services are significantly cheaper, but require the app to run on supported stack (.NET Core, Node.js etc.).Select the right operating system" -Cost Optimization,Revisit new Azure services,https://azure.microsoft.com/en-us/updates/,High,Governance,Financial Management & Cost Models,90,"Consider revisiting new Azure Services in a regular basis, as it can help you understanding if there is a newer SKU for a particular service that could be a better fit for this application. " -Cost Optimization,Cleanup Storage regularly,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-checklist,High,Governance,Financial Management & Cost Models,90,Review your storage account to understand if there is any piece of data that can be deleted or moved to a different tier. -Cost Optimization,Use Azure Advisor,https://docs.microsoft.com/azure/advisor/advisor-cost-recommendations,High,Capacity & Service Availability Planning,Service SKU,90,"Azure Advisor helps to optimize and improve efficiency of the workload by identifying idle and under-utilized resources. It analyzes your configurations and usage telemetry and consolidates it into personalized, actionable recommendations to help you optimize your resources." -Cost Optimization,Delete or deallocate unused resources in test environments,https://azure.microsoft.com/en-us/solutions/dev-test/#overview,High,Deployment & Testing,Testing & Validation,90,Review you pre-production environment periodically and shutdown or remove unused resources. -Cost Optimization,Collect logs and metrics from Azure resources,https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-logs,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,90,In order to successfully maintain the application it's important to 'turn the lights on' and have clear visibility of important metrics both in real-time and historically. -Cost Optimization,Shut down VM instances not in use,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#shut-down-the-under-utilized-instances,High,Capacity & Service Availability Planning,Efficiency,90,Use the Start/stop VMs during off-hours a feature of virtual machines to minimize waste. -Cost Optimization,Consider the cost of data transfers and make sure cross-region peering is used efficiently,https://azure.microsoft.com/en-us/pricing/details/bandwidth/,High,Networking & Connectivity,Data flow,90,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -Cost Optimization,Use ACM or other cost management tools,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports,High,Health Modeling & Monitoring,Dashboarding,90,"In order to track spending an ACM tool can help with understanding how much is spent, where and when. This helps to make better decisions about how and if cost can be reduced." -Cost Optimization,Define a naming convention,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging,High,Governance,Standards,90,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -Cost Optimization,Consider reserved instances,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#reserved-vms,High,Application Design,Design,90,"Azure Reservations help you save money by committing to one-year or three-year plans for multiple products. Committing allows you to get a discount on the resources you use. Reservations can significantly reduce your resource costs by up to 72% from pay-as-you-go prices. " -Cost Optimization,Define and monitor targets for scale operations,https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-performance,High,Capacity & Service Availability Planning,Efficiency,90,Use Azure monitor to analyze the usage of the resources. -Cost Optimization,Design the workload to scale independently,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,High,Capacity & Service Availability Planning,Efficiency,90,"For certain application, capacity requirements may swing over time. Autoscaling policies allow for less error-prone operations and cost savings through robust automation. Choose smaller instances where workload is highly variable and scale out to get the desired level of performance, rather than up." -Cost Optimization,Configure auto-scale policies for your workload (both in and out),https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,High,Application Design,Application Composition,90,Deliberate selection of resources and sizing is important to maintain efficiency and optimal cost. -Cost Optimization,Understand the cost implications of multi-region deployment,https://docs.microsoft.com/azure/architecture/framework/cost/design-regions#traffic-across-billing-zones-and-regions,High,Application Design,Design,90,"Consider how important is the application to justify the cost of having resources cross zones and/or cross regions. For non-mission critical applications such as, developer or test, consider keeping the solution and its dependencies in a single region or single zone to leverage the advantages of choosing the lower-cost region." -Cost Optimization,Understand the operational capabilities of Azure services,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Medium,Application Design,Application Composition,50,"Operational capabilities, such as auto-scale and auto-heal for App Services, can reduce management overheads, support operational effectiveness and reduce cost." -Cost Optimization,Utilize the PaaS pay-as-you-go consumption model where relevant,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Operational Procedures,Operational Lifecycles,50,"To bring down cost the goal should be to get as many applications to only consume resources when they are used, this goes as an evolution from IaaS to PaaS to serverless where you only pay when a service I triggered. The PaaS and serverless might appear more expensive, but risk and other operational work is transferred to the cloud provider which should also be factored in as part of the cost (e.g. patching, monitoring, licenses)." -Cost Optimization,Leverage the hybrid use benefit,https://azure.microsoft.com/en-us/pricing/hybrid-benefit/,Medium,Governance,Licensing,50,Understanding your current spending on licenses can help you drive down cost in the cloud. A-HUB allows you to reuse licenses that you purchased for on-premises in Azure and via this drive down the cost as the license is already paid. -Cost Optimization,Assign a budget and spend limit to the workload,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert,Medium,Governance,Financial Management & Cost Models,50,For cost management it is recommended to have a budget even for the smallest services operated as that allows to track and understand the flow of the spend and also understand the impact of a smaller service in a bigger picture. -Cost Optimization,Establish a cost owner for each service used by the workload,https://azure.microsoft.com/en-us/blog/how-to-optimize-your-azure-workload-costs-2/,Medium,Governance,Financial Management & Cost Models,50,Every service should have a cost owner that is tracking and is responsible for cost. This drives responsibility and awareness on who owns the cost tracking. -Cost Optimization,Use cost forecasting for budget alignment,https://docs.microsoft.com/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal,Medium,Governance,Financial Management & Cost Models,50,In order to predict costs and trends it's recommended to use forecasting to be proactive for any spending that might be going up due to higher demand than anticipated. -Cost Optimization,Define end-date for each environment,https://azure.microsoft.com/en-us/services/cost-management/,Medium,Operational Procedures,Operational Lifecycles,50,If your workload or environment isn't needed then you should be able to decommission it. The same should occur if you are introducing a new service or new feature. -Cost Optimization,Understand how the budget is defined,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#revise-budgets,Medium,Governance,Culture & Dynamics,50,"It is important to have a clear understanding how an IT budget is defined. This is especially true for applications that are not built in-house, where IT budget has to be factored in as part of the delivery." -Cost Optimization,Review Azure Advisor recommendations periodically,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports#advisor-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Your underutilized resources need to be reviewed often in order to be identified and dealt with accordingly, in addition to ensuring that your actionable recommendations are up-to-date and fully optimized. For example, Azure Advisor monitors your virtual machine (VM) usage for 7 days and then identifies low-utilization VMs." -Cost Optimization,Consider selective backups for VMs,https://docs.microsoft.com/azure/backup/selective-disk-backup-restore,Medium,Application Design,Design,50,"Azure Backup supports the use of the Selective Disks backup and restore functionally which allows you to back up a subset of data disks in a VM, which is an efficient and cost-effective way to backup your application." -Cost Optimization,Set up alerts for cost limits and thresholds,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#respond-to-alerts,Medium,Health Modeling & Monitoring,Alerting,50,"This is to ensure that if any budget is close to threshold, the cost owner gets notified to take appropriate actions on the change." -Cost Optimization,Define clear responsibilities for alerts,https://docs.microsoft.com/azure/architecture/framework/cost/design-model#organization-structure,Medium,Health Modeling & Monitoring,Alerting,50,Ensure the correct people responsible for the application is alerted when there is any problem with the resource. -Cost Optimization,Understand cost implications of availability strategy,https://docs.microsoft.com/azure/architecture/framework/cost/tradeoffs,Medium,Application Design,Design,50,"As you design the workload, consider tradeoffs between cost optimization and other aspects of the design, such as security, scalability, resilience, and operability. Ask questions such as if the cost of high availability components exceeds the cost of the application downtime to the business and design your application accordingly." -Cost Optimization,Understand the cost implications of Availability Zones,https://azure.microsoft.com/en-us/global-infrastructure/availability-zones/,Medium,Application Design,Design,50,"Availability Zones can be used to optimize application availability within a region by providing datacenter level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. It is also important to note that Availability Zones may introduce performance and cost considerations for applications which are extremely 'chatty' across zones given the implied physical separation between each zone and inter-zone bandwidth charges. That also means that AZ can be considered to get higher Service Level Agreement (SLA) for lower cost. Be aware of pricing changes coming to Availability Zone bandwidth starting February 2021." -Cost Optimization,Choose appropriate region for workload deployments,https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist#architecture,Medium,Application Design,Design,50,"Check your egress and ingress cost, within regions and across regions. Only deploy to multiple regions if your service levels require it for either availability or geo-distribution." -Cost Optimization,Have ongoing conversation between app owner and business,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reviews,Medium,Governance,Culture & Dynamics,50,"Is what's delivered from IT and what the business is expecting from IT, mapped to the cost of the application?" -Cost Optimization,Map application dependencies,https://docs.microsoft.com/azure/azure-monitor/app/app-map?tabs=net,Medium,Application Design,Dependencies,50,"Examples of typical dependencies include platform dependencies outside the remit of the application, such as Azure Active Directory, Express Route, or a central NVA (Network Virtual Appliance), as well as application dependencies such as APIs which may be in-house or externally owned by a third-party. For cost it's important to understand the price for these services and how they are being charged, this makes it easier to understanding an all-up cost. For more details see cost models." -Cost Optimization,The entire end-to-end CI/CD deployment process should be understood,https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/,Medium,Deployment & Testing,Application Code Deployments,50," " -Cost Optimization,Define critical system flows,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-critical-system-flows,Medium,Application Design,Key Scenarios,50,"Understanding critical system flows is vital to assessing overall operational effectiveness, and should be used to inform a health model for the application. It can also tell if areas of the application are over or under-utilized and should be adjusted to better meet business needs and cost goals." -Cost Optimization,Consider Platform as a service (PaaS) options,https://docs.microsoft.com/azure/architecture/framework/cost/provision-compute#use-paas-as-an-alternative-to-buying-vms,Medium,Application Design,Design,50,"Consider modernizing your application to use PaaS. When you use the IaaS model, you do have final control over the VMs. It may appear to be a cheaper option at first, but when you add operational and maintenance costs, the cost increases. When you use the PaaS model, these extra costs are included in the pricing. In some cases, this means that PaaS services can be a cheaper than managing VMs on your own. " -Cost Optimization,Associate cost to the criticality of the business,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,Medium,Governance,Culture & Dynamics,50,Applications that are less critical to the business could use a smaller budget. -Cost Optimization,Explore where technical delivery capabilities reside,https://docs.microsoft.com/azure/architecture/framework/cost/design-model#organization-structure,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Map the organization's needs to logical groupings offered by cloud services. This way the business leaders of the company get a clear view of the cloud services and how they're controlled. -Cost Optimization,Monitor utilization of compute resources,https://docs.microsoft.com/azure/azure-monitor/essentials/metrics-charts,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Use Azure monitor to analyze the usage of the resources. -Cost Optimization,Consider using reserved Premium disks,https://docs.microsoft.com/azure/virtual-machines/disks-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50,"Azure Disk Storage reservations are available only for select Azure premium SSD SKUs. The SKU of a premium SSD determines the disk's size and performance. A disk reservation is made per disk SKU. As a result, the reservation consumption is based on the unit of the disk SKUs instead of the provided size. Make sure you track the usage in disk SKUs instead of provisioned or used disk capacity." -Cost Optimization,Consider using shared disks for suitable workloads,https://docs.microsoft.com/azure/virtual-machines/disks-shared,Medium,Capacity & Service Availability Planning,Efficiency,50,"Shared managed disks offer shared block storage that can be accessed from multiple VMs, these are exposed as logical unit numbers (LUNs). LUNs are then presented to an initiator (VM) from a target (disk). These LUNs look like direct-attached-storage (DAS) or a local drive to the VM." -Cost Optimization,Define a clear price model for individual services,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Capacity & Service Availability Planning,Efficiency,50,As part of driving a good behavior it's important that the consumer has understood why they are paying the price for a service and also that the cost is transparent and fair to the user of the service or else it can drive wrong behavior. -Cost Optimization,Consider using Service Endpoints and Private Link,https://docs.microsoft.com/azure/private-link/private-endpoint-overview,Medium,Security & Compliance,Network Security,50,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints from only authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios)." -Cost Optimization,Consider B-series VMs,https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable,Medium,Capacity & Service Availability Planning,Efficiency,50,"The B-series provides you with the ability to purchase a VM size with baseline performance that can build up credits when it is using less than its baseline. These types of VMs are ideal for workloads that do not need the full performance of the CPU continuously, like web servers, proof of concepts, small databases and development build environments. " -Cost Optimization,Consider spot VMs,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#spot-vms,Medium,Capacity & Service Availability Planning,Efficiency,50,"Spot VMs are ideal for workloads that can be interrupted, such as highly parallel batch processing jobs. These VMs take advantage of the surplus capacity in Azure at a lower cost. They're also well suited for experimental, development, and testing of large-scale solutions." -Cost Optimization,Pause AKS clusters,https://docs.microsoft.com/azure/aks/start-stop-cluster,Medium,Capacity & Service Availability Planning,Efficiency,50,"To optimize your costs when AKS workloads may not need to run continuously, you can completely turn off (stop) your cluster. This action will stop your control plane and agent nodes altogether, allowing you to save on all the compute costs, while maintaining all your objects and cluster state stored for when you start it again. " -Cost Optimization,Use App Service Premium (v3) plan where possible,https://docs.microsoft.com/azure/app-service/app-service-configure-premium-tier,Medium,Application Design,Application Composition,50,Opportunity to save costs with upgrade and apply reservations. -Cost Optimization,Consider additional DDoS protection,https://azure.microsoft.com/services/ddos-protection/,Medium,Networking & Connectivity,Endpoints,50," Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network." -Cost Optimization,Prefer Microsoft backbone for networking,https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/,Medium,Networking & Connectivity,Connectivity,50,Are you closer to your users or on-prem? If users are closer to the cloud you should use MSFT (i.e. egress traffic). MPLS is when another service provider gives you the line. -Cost Optimization,Understand cost implications of hub and spoke design,https://docs.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture,Medium,Networking & Connectivity,Data flow,50,Consider using a hub and spoke approach to save costs by using a managed service and removing the necessity of network virtual appliance. -Cost Optimization,Use data lifecycle policy,https://docs.microsoft.com/azure/storage/blobs/storage-lifecycle-management-concepts,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,"Azure storage offers different access tiers, allowing you to store blob object data in the most cost-effective manner. Available access tiers include: Hot (Optimized for storing data that is accessed frequently), Cool (Optimized for storing data that is infrequently accessed and stored for at least 30 days), and Archive (Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours)." -Cost Optimization,Use cost modeling to identify opportunities for cost reduction,https://docs.microsoft.com/azure/architecture/framework/cost/design-model,Medium,Governance,Financial Management & Cost Models,50,"Estimate and track costs, educate the employees about the cloud and various pricing models, have appropriate governance about expenditure." -Cost Optimization,Set up a disaster recovery strategy that splits the application components and data into defined groups,https://docs.microsoft.com/azure/backup/guidance-best-practices,Medium,Application Design,Design,50,"Exclude disk provides an efficient and cost-effective choice to selectively back up critical data. For example, back up only one disk when you don't want to back up the rest of the disks attached to a VM. This is also useful when you have multiple backup solutions. For example, when you back up your databases or data with a workload backup solution (SQL Server database in Azure VM backup) and you want to use Azure VM level backup for selected disks." -Cost Optimization,Be aware of cross-region data transfer costs,https://docs.microsoft.com/azure/architecture/framework/cost/provision-networking#peering,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -Cost Optimization,Use developer SKUs for dev/test purposes,https://azure.microsoft.com/en-us/pricing/dev-test/,Low,Deployment & Testing,Testing & Validation,10,"Special SKUs and subscription offers for development and testing purposes can save costs, but have to be used properly. Dev SKUs are not meant for production deployments." -Cost Optimization,Consider the ratio of non-production to production environments,https://docs.microsoft.com/azure/architecture/framework/cost/design-resources#subscription-and-offer-type,Low,Deployment & Testing,Build Environments,10,Consider using appropriate subscriptions types for Dev workloads and ensure production workloads are deployed in the correct subscription. -Cost Optimization,Consider multi-tenant or microservices scenarios when running multiple applications,https://azure.microsoft.com/en-us/solutions/microservice-applications/,Low,Capacity & Service Availability Planning,Efficiency,10,"When running multiple applications (typically in multi-tenant or microservices scenarios) density can be increased by deploying them on shared infrastructure and utilizing it more. For example: Containerization and moving to Kubernetes (Azure Kubernetes Services) enables pod-based deployment which can utilize underlying nodes efficiently. Similar approach can be taken with App Service Plans. To prevent the 'noisy neighbor' situation, proper monitoring must be in place and performance analysis must be done (if possible)." -Cost Optimization,Understand cloud-native features and implement where possible,https://azure.microsoft.com/en-us/overview/cloudnative/,Low,Application Design,Design,10,Understanding if the application is cloud-native or not provides a very useful high-level indication about potential technical debt for operability and cost efficiency. -Cost Optimization,Develop a plan to modernize the workload,https://docs.microsoft.com/dotnet/architecture/serverless/,Low,Application Design,Design,10,"Is there a plan to change the execution model to Serverless? To move as far as you can up the stack towards cloud-native. When the workload is serverless, it's charged only for actual use, whereas with traditional infrastructure there are many underlying things that need to be factored into the price. By applying an end date to the application it encourages you to discuss the goal of re-designing the application to make even better use of the cloud. It might be more expensive from an Azure cost point of view but factoring in other things like licenses, people, time to deploy can drive down cost." -Cost Optimization,Be aware of cost implications of Web Application Firewall,https://azure.microsoft.com/pricing/details/web-application-firewall/,Low,Networking & Connectivity,Endpoints,10,"There are cost implications to using Front Door with Web Application Firewall enabled, but it can save costs compared to using a 3rd party solution. Front Door has a good latency, because it uses unicast. If only 1 or 2 regions are required, Application Gateway can be used. There are cost implications of having a WAF - you should check pricing of hours and GB/s." -Cost Optimization,Consider VM Zone to Zone DR,https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery,Low,Application Design,Design,10,Site Recovery does not move or store customer data out of the region in which it is deployed when the customer is using Zone to Zone Disaster Recovery. Note that the egress charges that you would see in zone to zone disaster recovery would be lower than region to region disaster recovery. -Cost Optimization,Be aware of extra cost when tunnelling traffic through on-premises,https://docs.microsoft.com/azure/firewall/forced-tunneling,Low,Networking & Connectivity,Data flow,10,Consider the extra cost related to data ingress and egress if your application requires to use forced tunneling. -Cost Optimization,Consider shared platforms,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Low,Application Design,Design,10," " -Operational Excellence,Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview,High,Operational Procedures,Configuration & Secrets Management,70,Use Managed Identities for authentication to other Azure platform services -Operational Excellence,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/architecture/framework/security/critical-impact-accounts#no-standing-access--just-in-time-privileges,High,Operational Model & DevOps,Roles & Responsibilities,70,Implement just-in-time privileged access management -Operational Excellence,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#secrets,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Operational Excellence,Test your failover and failback process,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#operational-readiness-testing,High,Operational Procedures,Recovery & Failover,70,Test your failover and failback process -Operational Excellence,Implement procedures for key/secret rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,Implement procedures for key/secret rotation -Operational Excellence,Make sure that failed tests at least temporarily block deployments,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-ci#failed-tests,High,Deployment & Testing,Testing & Validation,70,Make sure that failed tests at least temporarily block deployments -Operational Excellence,Monitor the expiry of SSL certificates,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#SSL,High,Operational Procedures,Configuration & Secrets Management,70,Monitor the expiry of SSL certificates -Operational Excellence,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-rollback,Medium,Deployment & Testing,Application Code Deployments,60,Implement automated deployment process with rollback/roll-forward capabilities -Operational Excellence,Configure appropriate log levels for environments,https://docs.microsoft.com/aspnet/core/fundamentals/logging/?view=aspnetcore-5.0,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Configure appropriate log levels for environments -Operational Excellence,Implement strategies for resiliency and self-healing,https://docs.microsoft.com/azure/architecture/framework/resiliency/app-design,Medium,Application Design,Design,50,Implement strategies for resiliency and self-healing -Operational Excellence,Understand the impact of dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,Medium,Application Design,Dependencies,50,Understand the impact of dependencies -Operational Excellence,"Define, monitor, and measure availability targets",https://docs.microsoft.com/azure/architecture/best-practices/monitoring#requirements-for-sla-monitoring,Medium,Application Design,Targets & Non-Functional Requirements,50,"Define, monitor, and measure availability targets" -Operational Excellence,Collect application level logs,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#application-monitoring,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Collect application level logs -Operational Excellence,Instrument your workload,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#instrumenting-an-application,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Instrument your workload -Operational Excellence,Setup black-box monitoring to monitor the platform and customer experience,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#white-box-and-black-box-monitoring,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Setup black-box monitoring to monitor the platform and customer experience -Operational Excellence,Analyze health data for your workload,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#analyzing-health-data,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Analyze health data for your workload -Operational Excellence,Correlate application log events,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate application log events -Operational Excellence,Codify the process to provision and de-provision capacity,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity#automated-scale-operations,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Codify the process to provision and de-provision capacity -Operational Excellence,Use a log aggregation technology,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#collecting-and-storing-data,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Use a log aggregation technology -Operational Excellence,Collect Azure activity logs in your aggregation tool,https://docs.microsoft.com/azure/azure-monitor/platform/activity-log,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Collect Azure activity logs in your aggregation tool -Operational Excellence,Gather logs in a structured format,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#information-to-include-in-the-instrumentation-data,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Gather logs in a structured format -Operational Excellence,Correlate resource-level logs,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Correlate resource-level logs -Operational Excellence,Use the health model to classify failover situations,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#failover-classification,Medium,Operational Procedures,Recovery & Failover,50,Use the health model to classify failover situations -Operational Excellence,Document critical manual processes,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#manual-responses,Medium,Operational Procedures,Recovery & Failover,50,Document critical manual processes -Operational Excellence,Automate recovery procedures,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#recovery-automation,Medium,Operational Procedures,Recovery & Failover,50,Automate recovery procedures -Operational Excellence,Enforce resource level monitoring,https://docs.microsoft.com/azure/azure-monitor/deploy-scale,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Enforce resource level monitoring -Operational Excellence,Create Azure Resource Health alerts,https://docs.microsoft.com/azure/service-health/resource-health-alert-monitor-guide,Medium,Health Modeling & Monitoring,Alerting,50,Create Azure Resource Health alerts -Operational Excellence,Enable Service Health alerts on your workload,https://docs.microsoft.com/azure/service-health/overview,Medium,Health Modeling & Monitoring,Alerting,50,Enable Service Health alerts on your workload -Operational Excellence,Integrate Alerting into an existing systems,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-integrations,Medium,Health Modeling & Monitoring,Alerting,50,Integrate Alerting into an existing systems -Operational Excellence,Send reliable alert notifications,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-response,Medium,Health Modeling & Monitoring,Alerting,50,Send reliable alert notifications -Operational Excellence,"Define standards, policies and best practices as code",https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure,Medium,Governance,Standards,50,"Define standards, policies and best practices as code" -Operational Excellence,Prioritize operational events,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-prioritization,Medium,Health Modeling & Monitoring,Alerting,50,Prioritize operational events -Operational Excellence,Define a process for alert reaction,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-owners,Medium,Health Modeling & Monitoring,Alerting,50,Define a process for alert reaction -Operational Excellence,Use automated alerting solution,https://docs.microsoft.com/azure/architecture/framework/devops/alerts,Medium,Health Modeling & Monitoring,Alerting,50,Use automated alerting solution -Operational Excellence,Tailor dashboards to your needs,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-dashboarding,Medium,Health Modeling & Monitoring,Dashboarding,50,Tailor dashboards to your needs -Operational Excellence,Implement tools to visualize application health,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#visualization-by-using-dashboards,Medium,Health Modeling & Monitoring,Dashboarding,50,Implement tools to visualize application health -Operational Excellence,Analyze long-term trends to predict operational issues before they occur,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Analyze long-term trends to predict operational issues before they occur -Operational Excellence,Implement a health model,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#health-monitoring,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Implement a health model -Operational Excellence,Correlate logs and metrics for critical internal dependencies,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate logs and metrics for critical internal dependencies -Operational Excellence,Instrument the workload to monitor customer experience,https://docs.microsoft.com/azure/azure-monitor/app/web-monitor-performance,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Instrument the workload to monitor customer experience -Operational Excellence,Make sure that operational shortcomings and failures are analyzed and used to improve and refine operational procedures,https://docs.microsoft.com/azure/architecture/framework/devops/principles#lifecycles,Medium,Operational Procedures,Operational Lifecycles,50,Make sure that operational shortcomings and failures are analyzed and used to improve and refine operational procedures -Operational Excellence,Define a hotfix process in case normal deployment procedures needs to be bypassed,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#hotfix-process,Medium,Deployment & Testing,Application Code Deployments,50,Define a hotfix process in case normal deployment procedures needs to be bypassed -Operational Excellence,Document all portions of the deployment that require manual intervention,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#manual-deployment,Medium,Deployment & Testing,Application Code Deployments,50,Document all portions of the deployment that require manual intervention -Operational Excellence,Reduce the need for manual operations,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#automate-as-many-processes-as-possible,Medium,Deployment & Testing,Application Code Deployments,50,Reduce the need for manual operations -Operational Excellence,Deploy your workload in an active-passive configuration,https://docs.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager#manual-failover-using-azure-dns,Medium,Application Design,Design,50,Deploy your workload in an active-passive configuration -Operational Excellence,Use shared application and data services where appropriate,https://docs.microsoft.com/azure/cloud-adoption-framework/manage/considerations/platform#establish-a-service-catalog,Medium,Application Design,Application Composition,50,Use shared application and data services where appropriate -Operational Excellence,Use deployment strategies to deploy your workloads,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#stage-your-workloads,Medium,Deployment & Testing,Application Code Deployments,50,Use deployment strategies to deploy your workloads -Operational Excellence,Make sure that configuration settings can be changed or modified without rebuilding or redeploying the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#config-change,Medium,Operational Procedures,Configuration & Secrets Management,50,Make sure that configuration settings can be changed or modified without rebuilding or redeploying the application -Operational Excellence,Use tools to govern services and configurations,https://docs.microsoft.com/azure/azure-monitor/deploy-scale,Medium,Governance,Standards,50,Use tools to govern services and configurations -Operational Excellence,Enable Key Vault Soft-Delete,https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview,Medium,Operational Procedures,Configuration & Secrets Management,50,Enable Key Vault Soft-Delete -Operational Excellence,Implement release gates,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#implement-deployment-security-measures,Medium,Deployment & Testing,Build Environments,50,Implement release gates -Operational Excellence,"Define all infrastructure components as code ",https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,"Define all infrastructure components as code " -Operational Excellence,Compare regional capacity requirements to availability,https://azure.microsoft.com/en-us/global-infrastructure/services/,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Compare regional capacity requirements to availability -Operational Excellence,Monitor critical external dependencies,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#monitor-external-dependencies,Medium,Health Modeling & Monitoring,Dependencies,50,Monitor critical external dependencies -Operational Excellence,Make sure that specific methodologies are used to structure the deployment and operations process,https://docs.microsoft.com/azure/architecture/framework/devops/principles#methodologies,Medium,Operational Model & DevOps,General,50,Make sure that specific methodologies are used to structure the deployment and operations process -Operational Excellence,Implement a process between dev and ops to resolve production issues,https://docs.microsoft.com/azure/architecture/framework/devops/principles#roles,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Implement a process between dev and ops to resolve production issues -Operational Excellence,Perform business continuity drills,https://docs.microsoft.com/azure/architecture/framework/devops/testing#business-continuity-drills,Medium,Deployment & Testing,Testing & Validation,50,Perform business continuity drills -Operational Excellence,Test and validate manual operation runbooks,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#automated-recovery-testing,Medium,Operational Procedures,Recovery & Failover,50,Test and validate manual operation runbooks -Operational Excellence,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#key-points,Medium,Operational Procedures,Configuration & Secrets Management,50,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault -Operational Excellence,Understand the impact of changes in application health and capacity,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity#application-health-and-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Understand the impact of changes in application health and capacity -Operational Excellence,Perform smoke tests,https://docs.microsoft.com/azure/architecture/framework/devops/testing#smoke-testing,Medium,Deployment & Testing,Testing & Validation,50,Perform smoke tests -Operational Excellence,Track and address configuration drift,https://docs.microsoft.com/azure/architecture/framework/devops/automation-configuration#configuration-management,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Track and address configuration drift -Operational Excellence,Perform security and penetration testing regularly,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,Medium,Deployment & Testing,Testing & Validation,50,Perform security and penetration testing regularly -Operational Excellence,Make sure that critical test environments have 1:1 parity with productions,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-cd#test-environments,Medium,Deployment & Testing,Build Environments,50,Make sure that critical test environments have 1:1 parity with productions -Operational Excellence,Automate infrastructure deployment process,https://docs.microsoft.com/azure/architecture/framework/devops/automation-configuration,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Automate infrastructure deployment process -Operational Excellence,"Test for performance, scalability, and resiliency",https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-ci#continuous-integration,Medium,Deployment & Testing,Testing & Validation,50,"Test for performance, scalability, and resiliency" -Operational Excellence,Perform some tests in production,https://docs.microsoft.com/azure/devops/learn/devops-at-microsoft/shift-right-test-production,Medium,Deployment & Testing,Testing & Validation,50,Perform some tests in production -Operational Excellence,Perform integration testing,https://docs.microsoft.com/azure/architecture/framework/devops/testing#integration-testing,Medium,Deployment & Testing,Testing & Validation,50,Perform integration testing -Operational Excellence,Use a systematic approach in your development and release process,https://azure.microsoft.com/en-us/overview/what-is-devops/,Medium,Deployment & Testing,Application Code Deployments,50,Use a systematic approach in your development and release process -Operational Excellence,Make sure that all tests are automated and carried out periodically,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-testing#automated-testing,Medium,Deployment & Testing,Testing & Validation,50,Make sure that all tests are automated and carried out periodically -Operational Excellence,Deploy all infrastructure through an infrastructure-as-code process,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#why-deploy-infrastructure-with-code,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Deploy all infrastructure through an infrastructure-as-code process -Operational Excellence,Use Azure Resource Tags to enrich resources with operational meta-data,https://docs.microsoft.com/azure/architecture/framework/devops/principles#metadata,Low,Governance,Standards,30,Use Azure Resource Tags to enrich resources with operational meta-data -Operational Excellence,Use Platform as a Service offerings where appropriate,https://docs.microsoft.com/azure/architecture/guide/design-principles/managed-services,Low,Application Design,Design,30,Use Platform as a Service offerings where appropriate -Operational Excellence,Use feature flags,https://docs.microsoft.com/azure/devops/migrate/phase-features-with-feature-flags,Low,Deployment & Testing,Build Environments,30,Use feature flags -Operational Excellence,Take advantage of multiple subscriptions where appropriate,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups,Low,Application Design,Design,30,Take advantage of multiple subscriptions where appropriate -Operational Excellence,Identify if there are components with more relaxed performance requirements,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-less-critical-components,Low,Application Design,Key Scenarios,20,Identify if there are components with more relaxed performance requirements -Operational Excellence,Monitor for new features and updates that can improve your workload,https://azure.microsoft.com/updates/,Low,Application Design,Application Composition,20,Monitor for new features and updates that can improve your workload -Performance Efficiency,Upgrade your Storage Client Library to the latest version for better reliability and performance for 2 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -Performance Efficiency,Determine and document what acceptable performance is,https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency,High,Application Design,Targets & Non-Functional Requirements,70,Determine and document what acceptable performance is -Performance Efficiency,The health model can determine if a fault is transient,https://docs.microsoft.com/azure/architecture/best-practices/transient-faults,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,59,The health model can determine if a fault is transient -Performance Efficiency,Use microservices when possible,https://docs.microsoft.com/azure/architecture/framework/Scalability/app-design#microservices,Medium,Application Design,Design,50,Use microservices when possible -Performance Efficiency,Identify sensible non-functional requirements,https://docs.microsoft.com/azure/architecture/performance/#general-best-practices,Medium,Application Design,Targets & Non-Functional Requirements,50,Identify sensible non-functional requirements -Performance Efficiency,Monitor how long it takes to scale against your targets,https://docs.microsoft.com,Medium,Application Performance Management,Elasticity,50,Monitor how long it takes to scale against your targets -Performance Efficiency,Leverage autoscaling to scale in and out as load varies,https://docs.microsoft.com/azure/architecture/best-practices/auto-scaling,Medium,Application Performance Management,Elasticity,50,Leverage autoscaling to scale in and out as load varies -Performance Efficiency,Choose metrics appropriately for your scaling policies,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#choosing-metrics-for-scaling-policies,Medium,Application Performance Management,Elasticity,50,Choose metrics appropriately for your scaling policies -Performance Efficiency,Preemptively scale based on trends,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#preemptively-scaling-based-on-trends,Medium,Application Performance Management,Elasticity,50,Preemptively scale based on trends -Performance Efficiency,Know how long it takes to respond to scaling events,https://docs.microsoft.com/azure/architecture/framework/Scalability/load-testing#responding-quickly-to-additional-load,Medium,Application Performance Management,Elasticity,50,Know how long it takes to respond to scaling events -Performance Efficiency,Build a capacity model for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Build a capacity model for your workload -Performance Efficiency,Choose the right database to match usage,https://docs.microsoft.com/azure/architecture/framework/Scalability/app-design#choosing-the-right-database,Medium,Application Design,Design,50,Choose the right database to match usage -Performance Efficiency,Optimize your database queries,https://docs.microsoft.com/azure/architecture/performance/backend-services#step-4-optimize-the-query,Medium,Performance Testing,Benchmarking,50,Optimize your database queries -Performance Efficiency,Optimize your resource choices,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#choosing-the-right-resources,Medium,Capacity & Service Availability Planning,Service SKU,50,Optimize your resource choices -Performance Efficiency,Offload SSL traffic by using the gateway offloading pattern,https://docs.microsoft.com/azure/architecture/patterns/gateway-offloading,Medium,Networking & Connectivity,Endpoints,50,Offload SSL traffic by using the gateway offloading pattern -Performance Efficiency,Understand your performance bottlenecks around latency and throughput,https://docs.microsoft.com/azure/architecture/framework/Scalability/performance#performance-bottlenecks,Medium,Application Performance Management,Data Latency and Throughput,50,Understand your performance bottlenecks around latency and throughput -Performance Efficiency,Test and validate your defined latency and throughput targets,https://docs.microsoft.com/azure/networking/azure-network-latency,Medium,Application Performance Management,Data Latency and Throughput,50,Test and validate your defined latency and throughput targets -Performance Efficiency,Consider using proximity placement groups for components that are very sensitive to network latency,https://docs.microsoft.com/azure/virtual-machines/windows/co-location#proximity-placement-groups,Medium,Application Performance Management,Data Latency and Throughput,50,Consider using proximity placement groups for components that are very sensitive to network latency -Performance Efficiency,Acquire dedicated networking resources as required,https://docs.microsoft.com/azure/expressroute/expressroute-introduction,Medium,Application Performance Management,Network Throughput and Latency,50,Acquire dedicated networking resources as required -Performance Efficiency,Design for eventual consistency,https://docs.microsoft.com/azure/cosmos-db/consistency-levels,Medium,Data Platform Availability,Consistency,50,Design for eventual consistency -Performance Efficiency,Evaluate service limits and quotas to ensure they can support future growth,https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Evaluate service limits and quotas to ensure they can support future growth -Performance Efficiency,Learn how to use network capturing tools,https://docs.microsoft.com/azure/virtual-network/virtual-network-tap-overview#virtual-network-tap-partner-solutions,Medium,Performance Testing,Troubleshooting,50,Learn how to use network capturing tools -Performance Efficiency,"Plan your growth, then choose regions that will support those plans",https://azure.microsoft.com/global-infrastructure/services/,Medium,Application Design,Design,50,"Plan your growth, then choose regions that will support those plans" -Performance Efficiency,Deploy to paired regions,https://docs.microsoft.com/azure/best-practices-availability-paired-regions,Medium,Application Design,Design,50,Deploy to paired regions -Performance Efficiency,Track how your resources scale,https://docs.microsoft.com/azure/architecture/framework/Scalability/monitoring#how-do-azure-service-auto-scale,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Track how your resources scale -Performance Efficiency,Use appropriate performance testing tools,https://docs.microsoft.com/azure/architecture/framework/scalability/performance-test,Medium,Performance Testing,Tools & Planning,50,Use appropriate performance testing tools -Performance Efficiency,Define a testing strategy,https://docs.microsoft.com/azure/architecture/framework/scalability/test-checklist#performance-testing,Medium,Deployment & Testing,Testing & Validation,50,Define a testing strategy -Performance Efficiency,Identify baseline performance targets and goals,https://docs.microsoft.com/azure/architecture/framework/scalability/test-tools#identify-baselines-and-goals-for-performance,Medium,Application Design,Targets & Non-Functional Requirements,50,Identify baseline performance targets and goals -Performance Efficiency,Aggregate application and resource logs,https://docs.microsoft.com/azure/azure-monitor/logs/cross-workspace-query,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Aggregate application and resource logs -Performance Efficiency,Use critical system flows in the health model,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#application-logs,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Use critical system flows in the health model -Performance Efficiency,Configure retention times for logs and metrics,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Configure retention times for logs and metrics -Performance Efficiency,Analyze long-term trends to predict performance issues,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Analyze long-term trends to predict performance issues -Performance Efficiency,Identify human and environmental resources needed to create performance tests,https://docs.microsoft.com/azure/architecture/framework/scalability/tradeoffs#performance-efficiency-vs-operational-excellence,Medium,Performance Testing,Tools & Planning,50,Identify human and environmental resources needed to create performance tests -Performance Efficiency,Plan for the growth of your data over time,https://docs.microsoft.com/azure/architecture/framework/scalability/design-scale#plan-for-growth,Medium,Application Performance Management,Data Size/Growth,50,Plan for the growth of your data over time -Performance Efficiency,Monitor the components required to serve a single request,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#instrumenting-an-application,Medium,Performance Testing,Load Capacity,50,Monitor the components required to serve a single request -Performance Efficiency,Monitor capacity utilization to forecast future growth,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity#use-metrics-to-fine-tune-scaling,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Monitor capacity utilization to forecast future growth -Performance Efficiency,Determine appropriate metrics for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#metered-metrics-monitoring,Medium,Performance Testing,Load Capacity,50,Determine appropriate metrics for your workload -Performance Efficiency,Collect application logs from all environments with a tool like Azure Application Insights,https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Collect application logs from all environments with a tool like Azure Application Insights -Performance Efficiency,Capture logs in a structured format,https://docs.microsoft.com/azure/architecture/example-scenario/logging/unified-logging,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Capture logs in a structured format -Performance Efficiency,Correlate events across all tiers of your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#application-level-monitoring,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate events across all tiers of your workload -Performance Efficiency,Develop a troubleshooting guide for database performance problems,https://docs.microsoft.com/azure/azure-sql/database/automatic-tuning-overview,Medium,Performance Testing,Troubleshooting,50,Develop a troubleshooting guide for database performance problems -Performance Efficiency,Develop a troubleshooting guide for high CPU or memory issues,https://docs.microsoft.com/troubleshoot/azure/virtual-machines/troubleshoot-high-cpu-issues-azure-windows-vm,Medium,Performance Testing,Troubleshooting,50,Develop a troubleshooting guide for high CPU or memory issues -Performance Efficiency,Determine how to isolate increased response times,https://docs.microsoft.com/azure/azure-monitor/app/distributed-tracing,Medium,Performance Testing,Troubleshooting,50,Determine how to isolate increased response times -Performance Efficiency,Have an overall monitoring strategy for scalability,https://docs.microsoft.com/azure/architecture/framework/Scalability/monitoring#,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Have an overall monitoring strategy for scalability -Performance Efficiency,Use application profiling tools,https://docs.microsoft.com/visualstudio/profiling/profiling-feature-tour?view=vs-2019,Medium,Performance Testing,Troubleshooting,50,Use application profiling tools -Performance Efficiency,Determine the acceptable operational margin between peak utilization and maximum load,https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-performance,Medium,Performance Testing,Load Capacity,50,Determine the acceptable operational margin between peak utilization and maximum load -Performance Efficiency,Have a large scale event management strategy in place,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#large-scale-event-management,Low,Capacity & Service Availability Planning,Scalability & Capacity Model,30,Have a large scale event management strategy in place -Performance Efficiency,Use a Content Delivery Networks (CDN),https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#content-delivery-networks-(cdn),Low,Networking & Connectivity,Endpoints,30,Use a Content Delivery Networks (CDN) -Performance Efficiency,Establish targets for database performance,https://docs.microsoft.com/sql/relational-databases/performance/display-an-actual-execution-plan,Low,Application Design,Targets & Non-Functional Requirements,30,Establish targets for database performance -Performance Efficiency,Implement database partitioning,https://docs.microsoft.com/azure/architecture/framework/scalability/optimize-partition#strategies-for-data-partitioning,Low,Application Design,Design,30,Implement database partitioning ------------,,,,, -,,,,, -Category,Question,Answers,Selected Answer,Note -WAF Configuration,What workload type do you want to evaluate?,Core Well-Architected Review,Core Well-Architected Review,, -WAF Configuration,What workload type do you want to evaluate?,Azure Machine Learning (Preview),,, -WAF Configuration,What workload type do you want to evaluate?,Data Services,,, -WAF Configuration,Which pillars do you want to evaluate?,Reliability,Reliability,, -WAF Configuration,Which pillars do you want to evaluate?,Security,Security,, -WAF Configuration,Which pillars do you want to evaluate?,Cost,Cost,, -WAF Configuration,Which pillars do you want to evaluate?,Operational Excellence,Operational Excellence,, -WAF Configuration,Which pillars do you want to evaluate?,Performance,Performance,, -Reliability,What reliability targets and metrics have you defined for your application?,Recovery targets to identify how long the workload can be unavailable (Recovery Time Objective) and how much data is acceptable to lose during a disaster (Recovery Point Objective).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability metrics to measure and monitor availability such as Mean Time To Recover (MTTR) and Mean Time Between Failure (MTBF).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Composite SLA for the workload derived using the Azure SLAs for all relevant resources.,,, -Reliability,What reliability targets and metrics have you defined for your application?,SLAs for all internal and external dependencies.,,, -Reliability,What reliability targets and metrics have you defined for your application?,Independent availability and recovery targets for critical application subsystems and scenarios.,,, -Reliability,What reliability targets and metrics have you defined for your application?,None of the above.,None of the above.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across multiple regions.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Removed all single points of failure by running multiple instances of application components.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across Availability Zones within a region.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Performed Failure Mode Analysis (FMA) to identify fault-points and fault-modes.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for component level faults to minimize application downtime.,Planned for component level faults to minimize application downtime.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for dependency failures to minimize application downtime.,Planned for dependency failures to minimize application downtime.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,None of the above.,None of the above.,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,"Built a capacity model for the application ",,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Planned for expected usage patterns.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Azure service availability in required regions.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Availability Zones are available in required regions.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated required capacity is within Azure service scale limits and quotas.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated all APIs/SDKs against target run-times and languages for required functionality.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Aligned with Azure roadmaps for required preview services and capabilities.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,None of the above.,None of the above.,, -Reliability,How are you handling disaster recovery for this workload?,Application is available across multiple regions in an active-active configuration.,,, -Reliability,How are you handling disaster recovery for this workload?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,, -Reliability,How are you handling disaster recovery for this workload?,Traffic is routable to the application in the case of a regional failure.,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a backup strategy in alignment with recovery targets.,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,, -Reliability,How are you handling disaster recovery for this workload?,Failover and failback steps and processes are automated.,,, -Reliability,How are you handling disaster recovery for this workload?,Successfully tested and validated the failover and failback approach at least once.,,, -Reliability,How are you handling disaster recovery for this workload?,Decomposed the application into distinct subsystems with independent disaster recovery strategies.,,, -Reliability,How are you handling disaster recovery for this workload?,Network connectivity redundancy for on premise data/application sources.,,, -Reliability,How are you handling disaster recovery for this workload?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application processes are stateless.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Session state is non-sticky and externalized to a data store.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application configuration is treated as code and deployed with the application.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform services are running in a highly available configuration/SKU.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across Availability Zones or Availability Sets.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Leveraged platform services are Availability Zone aware.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across multiple active regions.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Load balancing is implemented to distribute traffic across multiple nodes.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Health probes are implemented to check the health of application components and compound application health.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Queuing and reliable messaging patterns are used to integrate application tiers.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Client traffic can be routed to the application in the case of region/zone/network outages.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Procedures to scale out application platform components are automated.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data types are categorized by data consistency requirements.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data platform services are running in a highly available configuration/SKU.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across multiple regions.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across Availability Zones.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is backed-up on zone/geo-redundant storage.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Active geo-replication is used for data platform components such as storage and databases.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Application traffic can be routed to data stores in the case of region/zone/network outages.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Read operations are segregated from update operations.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Load balancer health probes assess data platform components.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been defined to ensure consistent application state when data is corrupted or deleted.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been validated and tested to ensure consistent application state when data is corrupted or deleted.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,How does your application logic handle exceptions and errors?,Have a method to handle faults that might take a variable amount of time to recover from.,,, -Reliability,How does your application logic handle exceptions and errors?,Request timeouts are configured to manage inter-component calls.,,, -Reliability,How does your application logic handle exceptions and errors?,"Retry logic is implemented to handle transient failures, with appropriate back-off strategies to avoid cascading failures.",,, -Reliability,How does your application logic handle exceptions and errors?,The application is instrumented with semantic logs and metrics.,,, -Reliability,How does your application logic handle exceptions and errors?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,All single points of failure have been eliminated from application communication flows.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Health probes are configured for Azure Load Balancer(s) to assess application traffic flows and compound health.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Azure Load Balancer Standard or Zone redundant application gateways are used to load balance traffic across Availability Zones.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Redundant connections from different locations are used for cross-premises connectivity (ExpressRoute or VPN).,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,A failure path has been simulated for cross-premises connectivity.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Zone redundant gateways are used for cross-premises connectivity (ExpressRoute or VPN).,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,"Network traffic is monitored, and a response plan is in place to address network outages.",,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,What reliability allowances for scalability and performance have you made?,The application has dedicated cross-premises bandwidth.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Components with sensitive latency requirements are collocated.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Gateways (ExpressRoute or VPN) have been sized according to expected cross-premises network throughput.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Expected throughput passing through security/network appliances has been tested and autoscaling is configured based on throughput requirements.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling has been tested and the time to scale in/out has been measured.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Tested and validated defined latency and defined throughput targets per scenario and component.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Operational procedures are defined in case data sizes exceed limits.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Validated that long-running TCP connections are not required for the workload.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Throttling is implemented to govern inbound application calls and inter-component calls.,,, -Reliability,What reliability allowances for scalability and performance have you made?,None of the above.,None of the above.,, -Reliability,What reliability allowances for security have you made?,The identity provider (AAD/ADFS/AD/Other) is highly available and aligns with application availability and recovery targets.,,, -Reliability,What reliability allowances for security have you made?,"All external application endpoints are secured? i.e. Firewall, WAF, DDoS Protection Standard Plan, etc.",,, -Reliability,What reliability allowances for security have you made?,Communication to Azure PaaS services secured using Virtual Network Service Endpoints or Private Link.,,, -Reliability,What reliability allowances for security have you made?,Keys and secrets are backed-up to geo-redundant storage.,,, -Reliability,What reliability allowances for security have you made?,The process for key rotation is automated and tested,,, -Reliability,What reliability allowances for security have you made?,Emergency access break glass accounts have been tested and secured for recovering from Identity provider failure scenarios.,,, -Reliability,What reliability allowances for security have you made?,None of the above.,None of the above.,, -Reliability,What reliability allowances for operations have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,, -Reliability,What reliability allowances for operations have you made?,Application deployments can be rolled-back and rolled-forward through automated deployment pipelines.,,, -Reliability,What reliability allowances for operations have you made?,The lifecycle of the application is decoupled from its dependencies.,,, -Reliability,What reliability allowances for operations have you made?,The time it takes to deploy an entire production environment is tested and validated.,,, -Reliability,What reliability allowances for operations have you made?,None of the above.,None of the above.,, -Reliability,How do you test the application to ensure it is fault tolerant?,The application is tested against critical Non-Functional requirements for performance.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Load Testing is conducted with expected peak volumes to test scalability and performance under load.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Chaos Testing is performed by injecting faults.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Tests are automated and carried out periodically or on-demand.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Critical test environments have 1:1 parity with the production environment.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,None of the above.,None of the above.,, -Reliability,How do you monitor and measure application health?,The application is instrumented with semantic logs and metrics.,,, -Reliability,How do you monitor and measure application health?,Application logs are correlated across components.,,, -Reliability,How do you monitor and measure application health?,All components are monitored and correlated with application telemetry.,,, -Reliability,How do you monitor and measure application health?,"Key metrics, thresholds, and indicators are defined and captured.",,, -Reliability,How do you monitor and measure application health?,"A health model has been defined based on performance, availability, and recovery targets and is represented through monitoring dashboard and alerts.",,, -Reliability,How do you monitor and measure application health?,Azure Service Health events are used to alert on applicable Service level events.,,, -Reliability,How do you monitor and measure application health?,Azure Resource Health events are used to alert on resource health events.,,, -Reliability,How do you monitor and measure application health?,Monitor long-running workflows for failures.,,, -Reliability,How do you monitor and measure application health?,None of the above.,None of the above.,, -Security,Have you done a threat analysis of your workload?,"Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.",,, -Security,Have you done a threat analysis of your workload?,"There's a process to track, triage and address security threats in the application development cycle.",,, -Security,Have you done a threat analysis of your workload?,Timelines and processess are established to deploy mitigations (security fixes) for identified threats.,,, -Security,Have you done a threat analysis of your workload?,Security requirements are defined for this workload.,,, -Security,Have you done a threat analysis of your workload?,Threat protection was addressed for this workload.,,, -Security,Have you done a threat analysis of your workload?,"Security posture was evaluated with standard benchmarks (CIS Control Framework, MITRE framework etc.).",,, -Security,Have you done a threat analysis of your workload?,"Business critical workloads, which may adversely affect operations if they are compromised or become unavailable, were identified and classified.",,, -Security,Have you done a threat analysis of your workload?,None of the above.,None of the above.,, -Security,What considerations for compliance and governance did you make in this workload?,Regulatory and governance requirements of this workload are known and well understood.,,, -Security,What considerations for compliance and governance did you make in this workload?,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,,, -Security,What considerations for compliance and governance did you make in this workload?,Azure Policies are used to enforce and control security and organizational standards.,,, -Security,What considerations for compliance and governance did you make in this workload?,Root management group is used and any changes that are applied using this group are carefully considered.,,, -Security,What considerations for compliance and governance did you make in this workload?,Compliance for this workload is systematically monitored and maintained. Regular compliance attestations are performed.,,, -Security,What considerations for compliance and governance did you make in this workload?,External or internal audits of this workload are performed periodically.,,, -Security,What considerations for compliance and governance did you make in this workload?,Security plan for this workload was developed and is maintained.,,, -Security,What considerations for compliance and governance did you make in this workload?,"Best practices and guidelines, based on industry recommendations, are reviewed and applied proactively.",,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker vs. defender costs are considered when implementing defenses. Easy and cheap attack methods are always prevented.,,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker access containment is considered when making investments into security solutions.,,, -Security,What considerations for compliance and governance did you make in this workload?,None of the above.,None of the above.,, -Security,What practices and tools have you implemented as part of the development cycle?,"A list of dependencies, frameworks and libraries used by this workload is maintained and updated regularly.",,, -Security,What practices and tools have you implemented as part of the development cycle?,Framework and library updates are included into the workload lifecycle.,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Technologies and frameworks used in this workload are fully understood, including their vulnerabilities.",,, -Security,What practices and tools have you implemented as part of the development cycle?,"Security updates to VMs are applied in a timely manner, and strong passwords exist on those VMs for any local administrative accounts that may be in use.",,, -Security,What practices and tools have you implemented as part of the development cycle?,All cloud services used by this workload are identified and it is understood how to configure them securely.,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Personally identifiable information (PII) is detected and removed/obfuscated automatically for this workload, including application logs.",,, -Security,What practices and tools have you implemented as part of the development cycle?,Azure Tags are used to enrich Azure resources with operational metadata.,,, -Security,What practices and tools have you implemented as part of the development cycle?,Elevated security capabilities such as dedicated Hardware Security Modules (HSMs) or the use of Confidential Computing was implemented or considered implementing?,,, -Security,What practices and tools have you implemented as part of the development cycle?,None of the above.,None of the above.,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Formal DevOps approach to building and maintaining software in this workload was adopted.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"DevOps security guidance based on industry lessons-learned, and available automation tools (OWASP guidance, Microsoft toolkit for Secure DevOps etc.) is leveraged.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Gates and approvals are configured in DevOps release process of this workload.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Security team is involved in planning, design and the rest of DevOps process of this workload.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Deployments are automated and it's possible to deploy N+1 and N-1 version (where N is the current production).,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Code scanning tools are integrated as part of the continuous integration (CI) process for this workload and cover also 3rd party dependencies.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Credentials, certificates and other secrets are managed in a secure manner inside of CI/CD pipelines.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Branch policies are used in source control management, main branch is protected and code reviews are required.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Security controls are applied to all self-hosted build agents used by this workload (if any).,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,CI/CD roles and permissions are clearly defined for this workload.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,None of the above.,None of the above.,, -Security,Is the workload developed and configured in a secure way?,Cloud services are used for well-established functions instead of building custom service implementations.,,, -Security,Is the workload developed and configured in a secure way?,Detailed error messages and verbose information are hidden from the end user/client applications. Exceptions in code are handled gracefully and logged.,,, -Security,Is the workload developed and configured in a secure way?,Platform specific information (e.g. web server version) is removed from server-client communication channels.,,, -Security,Is the workload developed and configured in a secure way?,CDN (content delivery network) is used to separate the hosting platform and end-users/clients.,,, -Security,Is the workload developed and configured in a secure way?,"Application configuration is stored using a dedicated configuration management system (Azure App Configuration, Azure Key Vault etc.)",,, -Security,Is the workload developed and configured in a secure way?,"Access to data storage is identity-based, whenever possible.",,, -Security,Is the workload developed and configured in a secure way?,Authentication tokens are cached securely and encrypted when sharing across web servers.,,, -Security,Is the workload developed and configured in a secure way?,There are controls in place for this workload to detect and protect from data exfiltration.,,, -Security,Is the workload developed and configured in a secure way?,None of the above.,None of the above.,, -Security,How are you monitoring security-related events in this workload?,Tools like Azure Security Center are used to discover and remediate common risks within Azure tenants.,,, -Security,How are you monitoring security-related events in this workload?,A central SecOps team monitors security related telemetry data for this workload.,,, -Security,How are you monitoring security-related events in this workload?,The security team has read-only access into all cloud environment resources for this workload.,,, -Security,How are you monitoring security-related events in this workload?,"The security team has access to and monitor all subscriptions and tenants that are connected to the existing cloud environment, relative to this workload.",,, -Security,How are you monitoring security-related events in this workload?,Identity related risk events related to potentially compromised identities are actively monitored.,,, -Security,How are you monitoring security-related events in this workload?,"Communication, investigation and hunting activities are aligned with the workload team.",,, -Security,How are you monitoring security-related events in this workload?,Periodic & automated access reviews of the workload are conducted to ensure that only authorized people have access?,,, -Security,How are you monitoring security-related events in this workload?,Cloud application security broker (CASB) is leveraged in this workload.,,, -Security,How are you monitoring security-related events in this workload?,A designated point of contact was assigned for this workload to receive Azure incident notifications from Microsoft.,,, -Security,How are you monitoring security-related events in this workload?,None of the above.,None of the above.,, -Security,How is security validated and how do you handle incident response when breach happens?,"For containerized workloads, Azure Defender (Azure Security Center) or other third-party solution is used to scan for vulnerabilities.",,, -Security,How is security validated and how do you handle incident response when breach happens?,Penetration testing is performed in-house or a third-party entity performs penetration testing of this workload to validate the current security defenses.,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Simulated attacks on users of this workload, such as phishing campaigns, are carried out regularly.",,, -Security,How is security validated and how do you handle incident response when breach happens?,Operational processes for incident response are defined and tested for this workload.,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Playbooks are built to help incident responders quickly understand the workload and components, to mitigate an attack and do an investigation.",,, -Security,How is security validated and how do you handle incident response when breach happens?,There's a security operations center (SOC) that leverages a modern security approach.,,, -Security,How is security validated and how do you handle incident response when breach happens?,A security training program is developed and maintained to ensure security staff of this workload are well-informed and equipped with the appropriate skills.,,, -Security,How is security validated and how do you handle incident response when breach happens?,None of the above.,None of the above.,, -Security,How is connectivity secured for this workload?,"Services used by this workload, which should not be accessible from public IP addresses, are protected with network restrictions / IP firewall rules.",,, -Security,How is connectivity secured for this workload?,Service Endpoints or Private Links are used for accessing Azure PaaS services.,,, -Security,How is connectivity secured for this workload?,Azure Firewall or any 3rd party next generation firewall is used for this workload to control outgoing traffic of Azure PaaS services (data exfiltration protection) where Private Link is not available.,,, -Security,How is connectivity secured for this workload?,Network security groups (NSG) are used to isolate and protect traffic within the workloads VNet.,,, -Security,How is connectivity secured for this workload?,NSG flow logs are configured to get insights about incoming and outgoing traffic of this workload.,,, -Security,How is connectivity secured for this workload?,"Access to the workload backend infrastructure (APIs, databases, etc.) is restricted to only a minimal set of public IP addresses - only those who really need it.",,, -Security,How is connectivity secured for this workload?,Identified groups of resources are isolated from other parts of the organization to aid in detecting and containing adversary movement within the enterprise.,,, -Security,How is connectivity secured for this workload?,"All public endpoints of this workload are protected/secured with appropriate solution (i.e. Azure Front Door, Azure Firewall...).",,, -Security,How is connectivity secured for this workload?,"Publishing methods for this workload (e.g FTP, Web Deploy) are protected.",,, -Security,How is connectivity secured for this workload?,Code is published to this workload using CI/CD process instead of manually.,,, -Security,How is connectivity secured for this workload?,"Workload virtual machines running on premises or in the cloud don't have direct internet connectivity for users that may perform interactive logins, or by applications running on virtual machines.",,, -Security,How is connectivity secured for this workload?,There's a capability and plans in place to mitigate DDoS attacks for this workload.,,, -Security,How is connectivity secured for this workload?,None of the above.,None of the above.,, -Security,How have you secured the network of your workload?,"There's a designated group within the organization, which is responsible for centralized network management security of this workload.",,, -Security,How have you secured the network of your workload?,"There are controls in place to ensure that security extends past the network boundaries of the workload in order to effectively prevent, detect, and respond to threats.",,, -Security,How have you secured the network of your workload?,Enhanced network visibility is enabled by integrating network logs into a Security information and event management (SIEM) solution or similar technology.,,, -Security,How have you secured the network of your workload?,Cloud virtual networks are designed for growth based on an intentional subnet security strategy.,,, -Security,How have you secured the network of your workload?,"This workload has a security containment strategy that blends existing on-premises security controls and practices with native security controls available in Azure, and uses a zero-trust approach.",,, -Security,How have you secured the network of your workload?,Legacy network security controls for data loss prevention were deprecated.,,, -Security,How have you secured the network of your workload?,"Traffic between subnets, Azure components and tiers of the workload is managed and protected.",,, -Security,How have you secured the network of your workload?,None of the above.,None of the above.,, -Security,How are you managing encryption for this workload?,The workload uses industry standard encryption algorithms instead of creating own.,,, -Security,How are you managing encryption for this workload?,The workload communicates over encrypted (TLS / HTTPS) network channels only.,,, -Security,How are you managing encryption for this workload?,TLS 1.2 or 1.3 is used by default across this workload.,,, -Security,How are you managing encryption for this workload?,Secure modern hashing algorithms (SHA-2 family) are used.,,, -Security,How are you managing encryption for this workload?,Data at rest is protected with encryption.,,, -Security,How are you managing encryption for this workload?,Data in transit is encrypted.,,, -Security,How are you managing encryption for this workload?,Virtual disk files for virtual machines which are associated with this workload are encrypted.,,, -Security,How are you managing encryption for this workload?,None of the above.,None of the above.,, -Security,"Are keys, secrets and certificates managed in a secure way?",There's a clear guidance or requirement on what type of keys (PMK - Platform Managed Keys vs. CMK - Customer Managed Keys) should be used for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?","Passwords and secrets are managed outside of application artifacts, using tools like Azure Key Vault.",,, -Security,"Are keys, secrets and certificates managed in a secure way?",Access model for keys and secrets is defined for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",A clear responsibility / role concept for managing keys and secrets is defined for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Secret/key rotation procedures are in place.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Expiry dates of SSL/TLS certificates are monitored and there are renewal processes in place.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",None of the above.,None of the above.,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are tools and processes in place to grant just-in-time access.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,No user accounts have long-standing write access to production environments.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Appropriate emergency access accounts are configured for this workload in case of an emergency.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Lines of responsibility and designated responsible parties were clearly defined for specific functions in Azure.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,The application team has a clear view on responsibilities and individual/group access levels for this workload.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Workload infrastructure is protected with role-based access control (RBAC).,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Resource locks are leveraged to protect critical infrastructure of this workload.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,"Direct access to the infrastructure through Azure Portal, command-line Interface (CLI) or REST API is limited and CI/CD is preferred.",,, -Security,What security controls do you have in place for access to Azure infrastructure?,Permissions to Azure workloads are rarely based on individual resources and custom permissions are rarely used.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are processes and tools being used to manage privileged activities. Long standing administrative access is avoided whenever possible.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There is a lifecycle management policy for critical accounts in this workload and privileged accounts are reviewed regularly.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,None of the above.,None of the above.,, -Security,How are you managing identity for this workload?,When communicating with Azure platform services managed identities are preferred over API keys and connection strings.,,, -Security,How are you managing identity for this workload?,All APIs in this workload require clients to authenticate.,,, -Security,How are you managing identity for this workload?,"Modern authentication protocols (OAuth 2.0, OpenID) are used by this workload.",,, -Security,How are you managing identity for this workload?,"Azure Active Directory or other managed identity provider (Microsoft Account, Azure B2C etc.) is used for user authentication.",,, -Security,How are you managing identity for this workload?,Authentication via identity services is prioritized for this workload vs. cryptographic keys.,,, -Security,How are you managing identity for this workload?,Conditional access policies are implemented for users of this workload.,,, -Security,How are you managing identity for this workload?,Password-less or multi-factor authentication (MFA) is enforced for users of this workload.,,, -Security,How are you managing identity for this workload?,Current on-premises Active Directory is synchronized with Azure AD or other cloud identity system.,,, -Security,How are you managing identity for this workload?,None of the above.,None of the above.,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cloud costs are being modelled for this workload.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The price model of the workload is clear.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Critical system flows through the application have been defined for all key business scenarios.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,There is a well-understood capacity model for the workload.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Internal and external dependencies are identified and cost implications understood.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cost implications of each Azure service used by the application are understood.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The right operational capabilities are used for Azure services.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Special discounts given to services or licenses are factored in when calculating new cost models for services being moved to the cloud.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Azure Hybrid Use Benefit is used to drive down cost in the cloud.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budgets are assigned to all services in this workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a cost owner for every service used by this workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Cost forecasting is done to ensure it aligns with the budget.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a monthly or yearly meeting where the budget is reviewed.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a target end-date.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a plan for migrating to PaaS or serverless to lower the all up cost and transfer risk.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a clear understanding of how budget is defined.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budget is factored into the building phase.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is an ongoing conversation between the app owner and the business.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a plan to modernize the workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Azure Tags are used to enrich Azure resources with operational metadata.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,The application has a well-defined naming standard for Azure resources.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,None of the above.,None of the above.,, -Cost Optimization,How are you monitoring costs of this workload?,Alerts are set for cost thresholds and limits.,,, -Cost Optimization,How are you monitoring costs of this workload?,Specific owners and processes are defined for each alert type.,,, -Cost Optimization,How are you monitoring costs of this workload?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,, -Cost Optimization,How are you monitoring costs of this workload?,Cost Management Tools (such as Azure Cost Management) are being used to track spending in this workload.,,, -Cost Optimization,How are you monitoring costs of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you optimize the design of this workload?,The application was built natively for the cloud.,,, -Cost Optimization,How do you optimize the design of this workload?,There is an availability strategy defined and cost implications of it are understood.,,, -Cost Optimization,How do you optimize the design of this workload?,This workload benefits from higher density.,,, -Cost Optimization,How do you optimize the design of this workload?,Data is being transferred between regions.,,, -Cost Optimization,How do you optimize the design of this workload?,Multi-region deployment is supported and cost implications understood.,,, -Cost Optimization,How do you optimize the design of this workload?,The workload is designed to use Availability Zones within a region.,,, -Cost Optimization,How do you optimize the design of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Performance requirements are well-defined.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Targets for the time it takes to perform scale operations are defined and monitored.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The workload is designed to scale independently.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The application has been designed to scale both in and out.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Application components and data are split into groups as part of your disaster recovery strategy.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Tools (such as Azure Advisor) are being used to optimise SKUs discovered in this workload.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Resources are reviewed weekly or bi-weekly for optimization.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Cost-effective regions are considered as part of the deployment selection.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Dev/Test offerings are used correctly.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Shared hosting platforms are used correctly.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,None of the above.,None of the above.,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is an automated process to deploy application releases to production.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is a difference in configuration for production and non-production environments.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,Test-environments are deployed automatically and deleted after use.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness regarding the ratio of cost of production and non-production environments for this workload.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate SKUs are used for workload servers.,,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate operating systems are used in the workload.,,, -Cost Optimization,How do you manage compute costs for this workload?,A recent review of SKUs that could benefit from Reserved Instances for 1 or 3 years or more has been performed.,,, -Cost Optimization,How do you manage compute costs for this workload?,Burstable (B) series VM sizes are used for VMs that are idle most of the time and have high usage only in certain periods.,,, -Cost Optimization,How do you manage compute costs for this workload?,VM instances which are not used are shut down.,,, -Cost Optimization,How do you manage compute costs for this workload?,Spot virtual machines are used.,,, -Cost Optimization,How do you manage compute costs for this workload?,PaaS is used as an alternative to buying virtual machines.,,, -Cost Optimization,How do you manage compute costs for this workload?,Costs are optimized by using the App Service Premium (v3) plan over the Premium (Pv2) plan.,,, -Cost Optimization,How do you manage compute costs for this workload?,Zone to Zone disaster recovery is used for virtual machines.,,, -Cost Optimization,How do you manage compute costs for this workload?,The Start/Stop feature in Azure Kubernetes Services (AKS) is used.,,, -Cost Optimization,How do you manage compute costs for this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage networking costs for this workload?,Service Endpoints or Private Link are used for accessing Azure PaaS services.,,, -Cost Optimization,How do you manage networking costs for this workload?,Hub and spoke design pricing is understood.,,, -Cost Optimization,How do you manage networking costs for this workload?,Microsoft backbone network is preferred.,,, -Cost Optimization,How do you manage networking costs for this workload?,DDoS attack mitigation plans and capabilities are in place.,,, -Cost Optimization,How do you manage networking costs for this workload?,"Azure Front Door, Azure App Gateway or Web Application Firewall is used.",,, -Cost Optimization,How do you manage networking costs for this workload?,The workload is connected between regions (using network peering or gateways).,,, -Cost Optimization,How do you manage networking costs for this workload?,Azure resources are connecting to the internet via on-premises.,,, -Cost Optimization,How do you manage networking costs for this workload?,Public IPs and orphaned NICs are regularly cleaned up.,,, -Cost Optimization,How do you manage networking costs for this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved capacity is used for data in block blob storage.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Data is organized into access tiers.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Life-cycle policy is used to move data between access tiers.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Shared disks are leveraged for suitable workloads.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved premium disks (P30 & above) are used.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Bursting for P20 and below disks is utilized for suitable workloads.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,"For database workloads, data and log files are stored on separate disks.",,, -Cost Optimization,How do you manage storage and data costs for this workload?,"Unused storage resources (e.g. unattached disks, old snapshots) are periodically cleaned up.",,, -Cost Optimization,How do you manage storage and data costs for this workload?,Selective disk backup and restore for Azure VMs is used.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,None of the above.,None of the above.,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Development and operations processes are connected to a Service Management framework like ISO or ITIL,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,There is no separation between development and operations teams.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You have identified all broader teams responsible for operational aspects of the application and have established remediation plans with them for any issues that occur.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Features and development tasks for the application are prioritized and executed on in a consistent fashion.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You understand how the choices and desired configuration of Azure services are managed.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,None of the above.,None of the above.,, -Operational Excellence,What design considerations for operations have you made?,You have documented any components that are on-premises or in another cloud.,,, -Operational Excellence,What design considerations for operations have you made?,Deployed the application across multiple regions.,,, -Operational Excellence,What design considerations for operations have you made?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,, -Operational Excellence,What design considerations for operations have you made?,Application platform components are deployed across multiple active regions.,,, -Operational Excellence,What design considerations for operations have you made?,The workload is implemented with strategies for resiliency and self-healing.,,, -Operational Excellence,What design considerations for operations have you made?,All platform-level dependencies are identified and understood.,,, -Operational Excellence,What design considerations for operations have you made?,None of the above.,None of the above.,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs are defined for the application and key scenarios and monitored",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs for all leveraged dependencies are understood and monitored",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Recovery targets such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined for the application and key scenarios,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,The consequences if availability and recovery targets are not satisfied are well understood,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are targets defined for the time it takes to perform scale operations,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Critical system flows through the application have been defined for all key business scenarios and have distinct availability, performance and recovery targets",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are well defined performance requirements for the application and key scenarios,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Any application components which are less critical and have lower availability or performance requirements are well understood,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,None of the above.,None of the above.,, -Operational Excellence,How are you monitoring your resources?,An Application Performance Management (APM) tool like Azure Application Insights is used to collect application level logs,,, -Operational Excellence,How are you monitoring your resources?,Application logs are collected from different application environments,,, -Operational Excellence,How are you monitoring your resources?,Log messages are captured in a structured format and can be indexed and searched,,, -Operational Excellence,How are you monitoring your resources?,Application events are correlated across all application components,,, -Operational Excellence,How are you monitoring your resources?,It is possible to evaluate critical application performance targets and non-functional requirements based on application logs and metrics,,, -Operational Excellence,How are you monitoring your resources?,End-to-end performance of critical system flows is monitored,,, -Operational Excellence,How are you monitoring your resources?,Black-box monitoring is used to measure platform services and the resulting customer experience.,,, -Operational Excellence,How are you monitoring your resources?,None of the above.,None of the above.,, -Operational Excellence,How do you interpret the collected data to inform about application health?,"A log aggregation technology, such as Azure Log Analytics or Splunk, is used to collect logs and metrics from Azure resources",,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Azure Activity Logs are collected within the log aggregation tool,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Resource-level monitoring is enforced throughout the application,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Logs and metrics are available for critical internal dependencies,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Log levels are used to capture different types of application events.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Critical external dependencies are monitored,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,There are no known gaps in application observability that led to missed incidents and/or false positives.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,The workload is instrumented to measure customer experience.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,None of the above.,None of the above.,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,"Application and resource level logs are either aggregated in a single data sink, or it is possible to cross-query events at both levels",,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Application level events are automatically correlated with resource-level metrics to quantify the current application state,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the workload,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Critical system flows are used to inform the health model,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,The health model can distinguish between transient and non-transient faults,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Long-term trends are analysed to predict operational issues before they occur,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Retention times for logs and metrics have been defined and with housekeeping mechanisms configured,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,None of the above.,None of the above.,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Grafana is used to visualize the application health model and encompassed logs and metrics,,, -Operational Excellence,How are you using Azure platform notifications and updates?,"Dashboards are tailored to a specific audience such as developers, security or networking teams",,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Splunk is used for alerting,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Specific owners and processes are defined for each alert type,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Operational events are prioritized based on business impact,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Push notifications are used to inform responsible parties of alerts in real time,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Alerting is integrated with an IT Service Management (ITSM) system such as ServiceNow,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Service Health alerts been created to respond to Service-level events.,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Resource Health alerts been created to respond to Resource-level events.,,, -Operational Excellence,How are you using Azure platform notifications and updates?,None of the above.,None of the above.,, -Operational Excellence,What is your approach to recovery and failover?,Recovery steps are defined and well understood for failover and failback,,, -Operational Excellence,What is your approach to recovery and failover?,The failover and failback approach has been tested/validated at least once,,, -Operational Excellence,What is your approach to recovery and failover?,The health model is being used to classify failover situations,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are in place for common failure events,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are tested and validated on a regular basis,,, -Operational Excellence,What is your approach to recovery and failover?,Critical manual processes are defined and documented for failure responses.,,, -Operational Excellence,What is your approach to recovery and failover?,Manual operational runbooks are tested and validated on a regular basis,,, -Operational Excellence,What is your approach to recovery and failover?,None of the above.,None of the above.,, -Operational Excellence,How are scale operations performed?,There is a capacity model for the workload,,, -Operational Excellence,How are scale operations performed?,Auto-scaling is enabled for supporting PaaS and IaaS services,,, -Operational Excellence,How are scale operations performed?,The process to provision and de-provision capacity is codified,,, -Operational Excellence,How are scale operations performed?,The impact of changes in application health on capacity is fully understood,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is within Azure service scale limits and quotas,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is available within targeted regions,,, -Operational Excellence,How are scale operations performed?,Capacity utilization is monitored and used to forecast future growth,,, -Operational Excellence,How are scale operations performed?,None of the above.,None of the above.,, -Operational Excellence,How are you managing the configuration of your workload?,You monitor and take advantage of new features and capabilities of underlying services used in your workload.,,, -Operational Excellence,How are you managing the configuration of your workload?,Application configuration information is stored using a dedicated management system such as Azure App Configuration or Azure Key Vault,,, -Operational Excellence,How are you managing the configuration of your workload?,Soft-Delete is enabled for your keys and credentials such as things stored in Key Vaults and Key Vault objects.,,, -Operational Excellence,How are you managing the configuration of your workload?,Configuration settings can be changed or modified without rebuilding or redeploying the application,,, -Operational Excellence,How are you managing the configuration of your workload?,Passwords and other secrets are managed in a secure store like Azure Key Vault or HashiCorp Vault,,, -Operational Excellence,How are you managing the configuration of your workload?,Procedures are in place for key/secret rotation,,, -Operational Excellence,How are you managing the configuration of your workload?,The application uses Azure Managed Identities,,, -Operational Excellence,How are you managing the configuration of your workload?,The expiry dates of SSL certificates are monitored and there are processes in place to renew them,,, -Operational Excellence,How are you managing the configuration of your workload?,Components are hosted on shared application or data platforms as appropriate.,,, -Operational Excellence,How are you managing the configuration of your workload?,Your workload takes advantage of multiple Azure subscriptions.,,, -Operational Excellence,How are you managing the configuration of your workload?,The workload is designed to leverage managed services.,,, -Operational Excellence,How are you managing the configuration of your workload?,None of the above.,None of the above.,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a systematic approach to the development and release process.,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application can be deployed automatically from scratch without any manual operations,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a documented process for any portions of the deployment that require manual intervention,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,N-1 or N+1 versions can be deployed via automated pipelines where N is current deployment version in production,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a defined hotfix process which bypasses normal deployment procedures,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application deployment process leverages blue-green deployments and/or canary releases,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Releases to production are gated by having it successfully deployed and tested in other environments,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Feature flags are used to test features before rolling them out to everyone,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,None of the above.,None of the above.,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The entire application infrastructure is defined as code,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,No operational changes are performed outside of infrastructure as code,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Configuration drift is tracked and addressed,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The process to deploy infrastructure is automated,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Critical test environments have 1:1 parity with the production environment,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Direct write access to infrastructure is not possible and all resources are provisioned or configured through IaC processes.,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,None of the above.,None of the above.,, -Operational Excellence,How are you managing and distributing your patches,You have a defined process to patch and update all relevant workload components.,,, -Operational Excellence,How are you managing and distributing your patches,You have a defined rollback strategy for patches.,,, -Operational Excellence,How are you managing and distributing your patches,There is an playbook to deploy emergency patches as needed.,,, -Operational Excellence,How are you managing and distributing your patches,None of the above.,None of the above.,, -Operational Excellence,How are you testing and validating your workload?,"The application is tested for performance, scalability, and resiliency",,, -Operational Excellence,How are you testing and validating your workload?,"Tests for performance, scalability, and resiliency are performed as part of each major change",,, -Operational Excellence,How are you testing and validating your workload?,At least a subset of tests is also performed in the production environment,,, -Operational Excellence,How are you testing and validating your workload?,Fault injection tests are being utilized,,, -Operational Excellence,How are you testing and validating your workload?,Smoke tests are performed during application deployments,,, -Operational Excellence,How are you testing and validating your workload?,Unit and integration testing is performed as part of the application deployment process,,, -Operational Excellence,How are you testing and validating your workload?,All these tests are automated and carried out periodically,,, -Operational Excellence,How are you testing and validating your workload?,Failing tests at least temporarily block a deployment and lead to a deeper analysis of what has happened,,, -Operational Excellence,How are you testing and validating your workload?,Business Continuity 'fire drills' are performed to test regional failover scenarios,,, -Operational Excellence,How are you testing and validating your workload?,Security and penetration testing is performed regularly,,, -Operational Excellence,How are you testing and validating your workload?,You regularly validate and update your tests to reflect any necessary changes.,,, -Operational Excellence,How are you testing and validating your workload?,Operational procedures are reviewed and refined regularly.,,, -Operational Excellence,How are you testing and validating your workload?,Mocks and stubs are used to test external dependencies in non-production environments.,,, -Operational Excellence,How are you testing and validating your workload?,None of the above.,None of the above.,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Specific methodologies, like DevOps, are used to structure the development and operations process",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Collaboration between development and operations team to resolve production issue is clearly defined and well understood,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Operational shortcomings and failures are analyzed and used to improve and refine operational procedures,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools or processes in place, such as Azure AD Privileged Identity Management, to grant access to critical systems on a just in-time basis",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,No users have long-standing write-access to production environments,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Azure Resource Tags are used to enrich resources with operational meta-data,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools and processes, like Azure Policy, in place to govern available services, enforce mandatory operational functionality and ensure compliance",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Standards, policies, restrictions and best practices are defined as code, for example by using solutions like Azure Policy or HashiCorp Sentinel",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Error budgets used to track service reliability.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,There is a policy that governs what happens when the error budget is exhausted.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs) have been set.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The life-cycle of the application is decoupled from its dependencies.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application logs are correlated across components.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The application is instrumented with semantic logs and metrics.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Validated required capacity is within Azure service scale limits and quotas.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Operational procedures are defined in case data sizes exceed limits.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Tested and validated defined latency and throughput targets per scenario and component.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Keys and secrets are backed-up to geo-redundant storage.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for cost have you made?," The application was built natively for the cloud.",,, -Operational Excellence,What operational excellence allowances for cost have you made?,The workload is designed to use Availability Zones within a region.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has been designed to scale both in and out.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Performance requirements are well-defined.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Critical system flows through the application have been defined for all key business scenarios.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Specific owners and processes are defined for each alert type.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is an automated process to deploy application releases to production.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has a well-defined naming standard for Azure resources.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Targets for the time it takes to perform scale operations are defined and monitored.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,All internal and external dependencies identified and categorized as either weak or strong.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for security have you made?,Regulatory and governance requirements of this workload are known and well understood.,,, -Operational Excellence,What operational excellence allowances for security have you made?,There are tools and processes in place to grant just-in-time access.,,, -Operational Excellence,What operational excellence allowances for security have you made?,Appropriate emergency access accounts are configured for this workload.,,, -Operational Excellence,What operational excellence allowances for security have you made?,None of the above.,None of the above.,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The workload is deployed across multiple regions.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,"Regions were chosen based on location, proximity to users, and resource type availability.",,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Paired regions are used appropriately.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You have ensured that both (all) regions in use have the same performance and scale SKUs that are currently leveraged in the primary region.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Within a region the application architecture is designed to use Availability Zones.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application is implemented with strategies for resiliency and self-healing.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Component proximity is considered for application performance reasons.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application can operate with reduced functionality or degraded performance in the case of an outage.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You choose appropriate datastores for the workload during the application design.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Your application is using a micro-service architecture.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You understand where state will be stored for the workload.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,None of the above.,None of the above.,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You are able to predict general application usage.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,There are well-defined performance requirements for the workload and its key scenarios.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,Targets for scale operations are defined.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You understand and have documented the expected maximum traffic volume before performance degradation occurs.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,None of the above.,None of the above.,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,The workload can scale horizontally in response to changing load.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Have policies to scale in and scale down when the load decreases.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Configured scaling policies to use the appropriate metrics.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Automatically schedule autoscaling to add resources based on time of day trends.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Autoscaling has been tested under sustained load.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,You have measured the time it takes to scale in and out.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,None of the above.,None of the above.,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have a capacity model for the workload.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,Capacity utilization is monitored and used to forecast future growth.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,A process for provisioning and de-provisioning capacity has been established.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have enabled auto-scaling for all PaaS and IaaS services that support it.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You are aware of relevant Azure service limits and quotas.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have validated the SKU and configuration choices are appropriate for your anticipated loads.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,There is a strategy in place to manage events that may cause a spike in load.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,None of the above.,None of the above.,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using a Content Delivery Network.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are offloading SSL.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using authentication/token verification offloading.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated latency targets for key scenarios.",,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated throughput targets for key scenarios.",,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You have identified all components that are sensitive to network latency.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,Dedicated bandwidth has been acquired where needed.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,None of the above.,None of the above.,, -Performance Efficiency,How are you managing your data to handle scale?,You know the growth rate of your data.,,, -Performance Efficiency,How are you managing your data to handle scale?,You have documented plans for data growth and retention.,,, -Performance Efficiency,How are you managing your data to handle scale?,Design for eventual consistency.,,, -Performance Efficiency,How are you managing your data to handle scale?,You are using database replicas and data partitioning (sharding) as appropriate.,,, -Performance Efficiency,How are you managing your data to handle scale?,Minimize the load on the data store.,,, -Performance Efficiency,How are you managing your data to handle scale?,Normalize the data appropriately.,,, -Performance Efficiency,How are you managing your data to handle scale?,Optimize database queries and indexes.,,, -Performance Efficiency,How are you managing your data to handle scale?,None of the above.,None of the above.,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,There is a defined testing strategy.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Performance tests are performed regularly.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified the human and environmental resources needed to create performance tests.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are using appropriate tools to conduct performance tests on your workload.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are testing all appropriate components for performance.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified all services being utilized in Azure (and on-premise) that need to be measured.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Some tests are performed in production.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,The testing plan includes occasionally injecting faults.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,None of the above.,None of the above.,, -Performance Efficiency,How are you benchmarking your workload?,You have identified goals or a baseline for workload performance.,,, -Performance Efficiency,How are you benchmarking your workload?,Performance goals are based on device and/or connectivity type as appropriate.,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined an initial connection goal for your workload.,,, -Performance Efficiency,How are you benchmarking your workload?,There is a goal defined for complete page load times.,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined goals for an API (service) endpoint complete response.,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals defined for server response time.,,, -Performance Efficiency,How are you benchmarking your workload?,You have goals for latency between the systems & microservices of your workload.,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals on database query efficiency.,,, -Performance Efficiency,How are you benchmarking your workload?,You have a methodology to determine what acceptable performance is.,,, -Performance Efficiency,How are you benchmarking your workload?,None of the above.,None of the above.,, -Performance Efficiency,How have you modeled the health of your workload?,Application and resource level logs are aggregated in a single data sink or able to be cross-queried.,,, -Performance Efficiency,How have you modeled the health of your workload?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the application.,,, -Performance Efficiency,How have you modeled the health of your workload?,Critical system flows are used to inform the health model.,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can distinguish between transient and non-transient faults.,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can determine if the workload is performing at the expected targets.,,, -Performance Efficiency,How have you modeled the health of your workload?,Retention times for logs and metrics been defined and housekeeping mechanisms are configured.,,, -Performance Efficiency,How have you modeled the health of your workload?,Long-term trends are analyzed to predict performance issues before they occur.,,, -Performance Efficiency,How have you modeled the health of your workload?,None of the above.,None of the above.,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Track when resources scale in and out.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Have an overall monitoring strategy for scalability and performance.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application logs are collected from different application environments.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Logs are captured in a structured format.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor how much of an application is involved in serving a single request.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application events are correlated across all application components.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,"You have determined an acceptable operational margin between your peak utilization and the application's maximum load, and monitor for this.",,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You are aware of the appropriate metrics to monitor for performance tests under standard load.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor critical external dependencies for performance.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,None of the above.,None of the above.,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have steps to troubleshoot database issues.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know how to handle high CPU or memory situations.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know what to do when the application response times increase while not using all the CPU or memory allocated to the system.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You use profiling tools to profile your application code.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have a response plan for network performance problems that includes traffic capturing tools.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,None of the above.,None of the above.,, diff --git a/WARP/devops/testing/delete-testing-github.sh b/WARP/devops/testing/delete-testing-github.sh deleted file mode 100644 index 325bece..0000000 --- a/WARP/devops/testing/delete-testing-github.sh +++ /dev/null @@ -1,31 +0,0 @@ -#This script will delete the github repo you choose and then re-create a fresh one with the same name. -#usage: bash - -GITHUB_OWNER=rspott -GITHUB_TOKEN=$1 -GITHUB_PROJECT=WAF-test02 - -GITHUB_OWNER_ESC="\\\"$GITHUB_OWNER\\\"" -GITHUB_PROJECT_ESC="\\\"$GITHUB_PROJECT\\\"" - -DATA='{"name":"' -DATA+=$GITHUB_PROJECT -DATA+='"}' - -# Delete the entire repo -curl \ - -i -X DELETE \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token ${GITHUB_TOKEN}" \ - https://api.github.com/repos/${GITHUB_OWNER}/${GITHUB_PROJECT} - -sleep 5 - -# create a new one! -curl \ - -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token ${GITHUB_TOKEN}" \ - https://api.github.com/user/repos \ - -d "$DATA" - diff --git a/WARP/devops/testing/first-run.csv b/WARP/devops/testing/first-run.csv deleted file mode 100644 index 874c0c0..0000000 --- a/WARP/devops/testing/first-run.csv +++ /dev/null @@ -1,399 +0,0 @@ -first-run,,,,,,,,, -,,,,,,,,, -Recommendations for your workload,,,,,,,,, -Your overall results,Critical,'2/100',,,,,,, -Security,Critical,'4/100',,,,,,, -Cost Optimization,Critical,'0/100',,,,,,, -Reliability,Not assessed,,,,,,,, -Operational Excellence,Not assessed,,,,,,,, -Performance Efficiency,Not assessed,,,,,,,, -,,,,,,,,, -Next Steps,,,,,,,,, -Review identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,,,,,,,, -Review prefer identity authentication over keys,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,,,,,,,, -Implement resource tagging,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,,,,,,,, -,,,,,,,,, -ID,Category,Source,Link-Text,Link,Priority,ReportingCategory,ReportingSubcategory,Weight,Context -125058ca-ff29-9d34-3733-61d22eb17474,Security,Advisor,Storage account should use a private link connection for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -cc16fb66-bea3-7950-c8bb-43c66fc79596,Security,Advisor,Log Analytics agent should be installed on your virtual machine for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -173f859e-f870-95af-5abe-703eb8788513,Security,Advisor,Management ports of virtual machines should be protected with just-in-time network access control for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -27092b4f-7b10-714b-b60d-17bf856dadfc,Security,Advisor,Secure transfer to storage accounts should be enabled for 3 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -61b0356a-6307-f4d5-632a-f177b6f1d9cc,Security,Advisor,Azure Defender for DNS should be enabled for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -ed150ada-8a15-81bc-259f-60df75153f17,Security,Advisor,Azure Defender for Resource Manager should be enabled for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -6f8f8901-677b-3158-379b-30fd6b5c3525,Security,Advisor,There should be more than one owner assigned to your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -51df9cba-3678-5564-ab48-f7456e45c101,Security,Advisor,All network ports should be restricted on network security groups associated to your virtual machine for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -f21895de-63e2-9727-137a-3de5052bf9ef,Security,Advisor,Adaptive network hardening recommendations should be applied on internet facing virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -9794edd6-251c-7c4f-1191-1c7c435e1b61,Security,Advisor,"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources for 1 Virtual machine(s)",https://aka.ms/azure-advisor-portal,High,,,0, -d8c34f38-392f-af30-c86e-cf5e28e929e0,Security,Advisor,Management ports should be closed on your virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -e57e67e0-de6b-6179-dc49-a50bb12046c0,Security,Advisor,A vulnerability assessment solution should be enabled on your virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -87b9ae29-bdca-03b6-9c4d-f3a43726beeb,Security,Advisor,Storage accounts should restrict network access using virtual network rules for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -ba73066d-188b-86bf-f996-4cb4404fb6df,Security,Advisor,Network traffic data collection agent should be installed on Linux virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -2ef5e00d-d9f4-d7fd-3c5e-96dcdf9a66fa,Security,Advisor,Private endpoint should be enabled for MySQL servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -facd10ad-a274-e849-b738-ecf193caafb4,Security,Advisor,Public network access should be disabled for MySQL servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -0584c527-318d-8e19-e66d-f2fb35b50858,Security,Advisor,Storage account public access should be disallowed for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -cfe8774e-e9df-6f10-f1a7-4ec6520de9a5,Security,Advisor,Guest Configuration extension should be installed on your machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -4e503939-77d5-0409-6950-deef2975d2cb,Security,Advisor,Enforce SSL connection should be enabled for MySQL database servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -b1022ef2-20f8-d720-e92f-1b071157c046,Security,WAF Assessment,Configure emergency access accounts,https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access,High,Operational Model & DevOps,Roles & Responsibilities,100,"While rare, sometimes extreme circumstances arise where all normal means of administrative access are unavailable and for this reason emergency access accounts (also refered to as 'break glass' accounts) should be available. These accounts are strictly controlled in accordance with best practice guidance, and they are closely monitored for unsanctioned use to ensure they are not compromised or used for nefarious purposes." -5b351848-762c-230d-5a1a-e82ecbe53661,Security,WAF Assessment,Implement threat protection for the workload,https://docs.microsoft.com/azure/security-center/azure-defender,High,Application Design,Threat Analysis,100,"Enterprise workloads are subjected to many threats that can jeopardize confidentiality, availability, or integrity and should be protected with advanced security solutions." -a59b9b2b-0105-38a6-ed15-7b72b6a40003,Security,WAF Assessment,Implement security strategy to contain attacker access,https://docs.microsoft.com/azure/architecture/framework/security/resilience#containing-attacker-access,High,Application Design,Application Design,90,"The actual security risk for an organization is heavily influenced by how much access an adversary can or does obtain to valuable systems and data. For example, when each user only has a focused scope of permissions assigned to them, the impact of compromising an account will be limited." -4d8f9896-7654-8f83-2fcc-46f33488c326,Security,WAF Assessment,Adopt a zero trust approach,https://docs.microsoft.com/azure/security/fundamentals/network-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#adopt-a-zero-trust-approach,High,Networking & Connectivity,Data flow,90,"Data exfiltration occurs when an internal/external malicious actor performs an unauthorized data transfer. The solution should leverage a layered approach such as hub/spoke for network communications with deep packet inspection to detect/protect from data exfiltration attack. Azure Firewall, UDR (User-defined Routes), NSG (Network Security Groups), Key Protection, Data Encryption, PrivateLink, and Private Endpoints are layered defenses for a data exfiltration attack. Azure Sentinel and Azure Security Center can be used to detect data exfiltration attempts and alert incident responders." -65dda7e8-ba59-0715-11f4-588ed6480332,Security,WAF Assessment,Implement a branch policy strategy to enhance DevOps security,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Deployment & Testing,Application Code Deployments,90,"Branch policies provide additional level of control over the code which is commited to the product. It is a common practice to not allow pushing against the main branch and require pull-request (PR) with code review before merging the changes by at least one reviewer, other than the change author. Different branches can have different purposes and access levels, for example: feature branches are created by developers and are open to push, integration branch requires PR and code-review and production branch requires additional approval from a senior developer before merging." -c56c9cc2-dd20-84a8-ef40-03ada098e171,Security,WAF Assessment,Classify your data at rest and use encryption,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-at-rest,High,Security & Compliance,Encryption,90,"This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk. All data should be classified and encrypted with an encryption standard. It should also be tagged so that it can be audited." -38bc86a3-127c-8f5b-f617-ed5040c463f3,Security,WAF Assessment,Establish a detection and response strategy for identity risks,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#review-identity-risks,High,Health Modeling & Monitoring,Application Level Monitoring,90,"Most security incidents take place after an attacker initially gains access using a stolen identity. These identities can often start with low privileges, but attackers then use that identity to traverse laterally and gain access to more privileged identities. This repeats as needed until the attacker controls access to the ultimate target data or systems. Reported risk events for Azure AD can be viewed in Azure AD reporting, or Azure AD Identity Protection. Additionally, the Identity Protection risk events API can be used to programmatically access identity related security detections using Microsoft Graph." -b10661c7-ad38-360d-7966-059579d5d707,Security,WAF Assessment,Adopt a formal DevSecOps approach to building and maintaining software,https://docs.microsoft.com/azure/architecture/framework/security/deploy,High,Operational Model & DevOps,General,90,"The DevOps approach increases the organization's ability to rapidly address security concerns without waiting for a longer planning and testing cycle of traditional waterfall model. Key attributes are: automation, close integration of infra and dev teams, testability and reliability and repeatability of deployments." -1b307115-60bd-296c-fe02-f9a5121b95a2,Security,WAF Assessment,Scan container workloads for vulnerabilities,https://docs.microsoft.com/azure/security-center/container-security,High,Deployment & Testing,Testing & Validation,90,"Azure Security Center is the Azure-native solution for securing containers. Security Center can protect virtual machines that are running Docker, Azure Kubernetes Service clusters, Azure Container Registry registries. ASC is able to scan container images and identify security issues, or provide real-time threat detection for containerized environments." -0fd58006-093c-68a8-aa6a-bc5e059c3e3c,Security,WAF Assessment,Establish a security operations center (SOC),https://docs.microsoft.com/azure/architecture/framework/security/security-operations,High,Operational Procedures,Incident Response,90,"A SOC has a critical role in limiting the time and access an attacker can get to valuable systems and data. In addition, it provides the vital role of detecting the presence of adversaries, reacting to an alert of suspicious activity, or proactively hunting for anomalous events in the enterprise activity logs." -f9c0e7ed-219f-5334-3774-863c72146930,Security,WAF Assessment,Implement Conditional Access Policies,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#enable-conditional-access,High,Security & Compliance,Authentication and authorization,90,"Modern cloud-based applications are often accessible over the internet and location-based networking restrictions don't make much sense, but it needs to be mapped and understood what kind of restrictions are required. Multi-factor Authentication (MFA) is a necessity for remote access, IP-based filtering can be used to enable ad-hoc debugging, but VPNs are preferred." -8af8f817-935b-46a1-ad46-e8210d133a2c,Security,WAF Assessment,Implement established processes and timelines to deploy mitigations for identified threats,https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#3--mitigate-the-identified-threats,High,Application Design,Threat Analysis,90,Fixing identified vulnerabilities in a timely manner helps staying secure and preventing additional attack vectors. -11aed3fa-9562-e716-42a4-7a889a67591b,Security,WAF Assessment,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it",https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Connectivity,90,Web applications typically have one public entrypoint and don't expose subsequent APIs and database servers over the internet. When using gateway services like Azure Front Door it's possible to restrict access only to a set of Front Door IP addresses and lock down the infrastructure completely. -3a94c9b0-3497-d4a9-7787-33c97f069392,Security,WAF Assessment,Protect all public endpoints with appropriate controls,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#web-application-firewalls-wafs,High,Networking & Connectivity,Endpoints,90,"External application endpoints should be protected against common attack vectors, such as Denial of Service (DoS) attacks like Slowloris, to prevent potential application downtime due to malicious intent. Azure-native technologies such as Azure Firewall, Application Gateway/Azure Front Door Web Application Firewall (WAF), and DDoS Protection Standard Plan can be used to achieve requisite protection." -643295ac-120d-8309-12f0-fd687af97a37,Security,WAF Assessment,Ensure all Azure environments that connect to your production environment/network apply your organization's policy and IT governance controls for security,https://docs.microsoft.com/azure/architecture/framework/Security/governance#manage-connected-tenants,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Ensure the security organization is aware of all enrollments and associated subscriptions connected to the existing environment and is able to monitor those resources as part of the overall enterprise security posture. -055296c6-87d9-08e0-5039-6fd260203a35,Security,WAF Assessment,Configure quality gate approvals in DevOps release process,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Operational Model & DevOps,Roles & Responsibilities,70,"Pull Requests and code reviews serve as the first line of approvals during development cycle. Before releasing new code to production (new features, bugfixes etc.), security review and approval should be required." -47ad741a-2021-0870-3f5b-797b17dbad06,Security,WAF Assessment,Involve the security team in the development process,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/security-governance-and-compliance#service-enablement-framework,High,Operational Model & DevOps,Roles & Responsibilities,70,"There should be a process for onboarding service securely to Azure. The onboarding process should include reviewing the configuration options to determine what logging/monitoring needs to be established, how to properly harden a resource before it goes into production." -b2244fd7-6948-e7f7-45ed-77ea55f3879e,Security,WAF Assessment,Establish a process for key management and automatic key rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,"In the situation where a key or secret becomes compromised, it is important to be able to quickly act and generate new versions. Key rotation reduces the attack vectors and should be automated and executed without any human interactions." -e80b17aa-57f6-e775-1985-73cd010eac20,Security,WAF Assessment,Integrate code scanning tools within CI/CD pipeline,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#credential-scanning,High,Deployment & Testing,Application Code Deployments,70,"Credentials should not be stored in source code or configuration files, because that increases the risk of exposure. Code analyzers (such as Roslyn analyzers for Visual Studio) can prevent from pushing credentials to source code repository and pipeline addons such as GitHub Advanced Security or CredScan (part of Microsoft Security Code Analysis) help to catch credentials during the build process." -598a45eb-2db5-dbb1-7569-a37063f2583d,Security,WAF Assessment,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs,https://docs.microsoft.com/azure/architecture/framework/security/deploy-infrastructure#build-environments,High,Deployment & Testing,Build Environments,70,"When the organization uses their own build agents it adds management complexity and can become an attack vector. Build machine credentials must be stored securely and file system needs to be cleaned of any temporary build artifacts regularly. Network isolation can be achieved by only allowing outgoing traffic from the build agent, because it's using pull model of communication with Azure DevOps." -5e44e0d1-2937-89a8-2e24-2825a96ed80a,Security,WAF Assessment,Establish a unified enterprise segmentation strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Networking & Connectivity,Connectivity,70,"A unified enterprise segmentation strategy will guide all technical teams to consistently segment access using networking, applications, identity, and any other access controls." -645a4305-5a8b-040f-c887-4129526383ce,Security,WAF Assessment,Use service endpoints and private links where appropriate,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints,High,Networking & Connectivity,Connectivity,70,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints only from authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios). Don't forget that Private Link is a paid service and has meters for inbound and outbound data processed. Private Endpoints are charged as well." -3ecdbbb2-00c5-975e-5687-686768b4aec4,Security,WAF Assessment,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure,High,Operational Model & DevOps,Roles & Responsibilities,70,"Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious actor gaining access or an authorized user inadvertently impacting a sensitive resource. For example, Azure AD Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about." -a174f139-1612-70d3-687d-72e614ced801,Security,WAF Assessment,Conduct periodic access reviews for the workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#enforce-policy-compliance,High,Security & Compliance,Control-plane RBAC,70,"As people in the organization and on the project change, it is crucial to make sure that only the right people have access to the application infrastructure. Auditing and reviewing access reduces the attack vector to the application. Azure control plane depends on Azure AD and access reviews are often centrally performed often as part of internal or external audit activities. For the application specific access it is recommended to do the same at least twice a year." -f3ea867d-7ff6-845f-231e-17e065a851af,Security,WAF Assessment,Use only secure hash algorithms (SHA-2 family),https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-replace-insecure-protocols,High,Security & Compliance,Encryption,70,"Applications should use the SHA-2 family of hash algorithms (SHA-256, SHA-384, SHA-512)." -1aea58f6-cd71-c577-f330-7dd782297ec5,Security,WAF Assessment,Discover and remediate common risks to improve Secure Score in Azure Security Center,https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-remediate-common-risks,High,Security & Compliance,Security Center,70,"Identifying and remediating common security hygiene risks significantly reduces overall risk to the organization by increasing cost to attackers. Azure Secure Score in Azure Security Center monitors the security posture of machines, networks, storage and data services, and applications to discover potential security issues (internet connected VMs, or missing security updates, missing endpoint protection or encryption, deviations from baseline security configurations, missing Web Application Firewall (WAF), and more)." -42bc20de-a700-5bf1-3ff2-eac21320f345,Security,WAF Assessment,Protect workload publishing methods and restrict those not in use,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Endpoints,70,"Application resources allowing multiple methods to publish app content (e.g FTP, Web Deploy) should have the unused endpoints disabled. For Azure Web Apps SCM is the recommended endpoint and it can be protected separately with network restrictions for sensitive scenarios." -8b6359c1-35df-7fd4-f4a9-46714543a895,Security,WAF Assessment,Follow DevOps security guidance and automation for securing applications,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code,High,Operational Model & DevOps,General,70,"Organizations should leverage a control framework such as NIST, CIS or Azure Security Benchmarks (ASB) for securing applications on the cloud rather than starting from zero." -47a17e59-4c4a-facc-8ec5-f445f478a858,Security,WAF Assessment,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring",https://docs.microsoft.com/azure/architecture/framework/Security/governance#remove-virtual-machine-vm-direct-internet-connectivity,High,Networking & Connectivity,Endpoints,70,Attackers constantly scan public cloud IP ranges for open management ports and attempt 'easy' attacks like common passwords and known unpatched vulnerabilities. Limiting internet access from within an application server can prevent data exfiltration or stop the attacker from downloading additional tools. -bb0e9b7e-7972-3f2e-3f6b-c53b8d65fdeb,Security,WAF Assessment,Review and consider elevated security capabilities for Azure workloads,https://azure.microsoft.com/solutions/confidential-compute/,High,Governance,Standards,70,Careful consideration is necessary on whether to utilize specialized security capabilities in the workload architecture. These capabilities include dedicated Hardware Security Modules and Confidential Computing. -4acf3ad7-641e-f2b0-4e6c-d3d968154f0d,Security,WAF Assessment,Clearly define CI/CD roles and permissions,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#minimize-access,High,Operational Model & DevOps,Roles & Responsibilities,70,Defining CI/CD permissions properly ensures that only users responsible for production releases are able to initiate the process and that only developers can access the source code. Azure DevOps offers pre-defined roles which can be assigned to individual users of groups. Using them properly can make sure that for example only users responsible for production releases are able to initiate the process and that only developers can access the source code. Variable groups often contain sensitive configuration information and can be protected as well. -09cc563f-bb55-a265-3e45-10be6f59b64f,Security,WAF Assessment,Automatically remove/obfuscate personally identifiable information (PII) for this workload,https://docs.microsoft.com/azure/search/cognitive-search-skill-pii-detection,High,Health Modeling & Monitoring,Application Level Monitoring,70,"Extra care should be taken around logging of sensitive application areas. PII (contact information, payment information etc.) should not be stored in any application logs and protective measures should be applied (such as obfuscation)." -c4fb2ebf-6432-eb63-c404-3aa0efe90c8b,Security,WAF Assessment,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team,https://docs.microsoft.com/azure/governance/policy/overview,High,Security & Compliance,Compliance,70,Azure Policy should be used to enforce and report a compliant configuration of Azure services. Azure policies can be used on multiple levels. It is recommended to apply organizational wide security controls on Azure platform level. These policies build the guardrails of a landing zone. -94dbbe03-fe8d-d651-1392-030824ddb73f,Security,WAF Assessment,Establish security benchmarking using Azure Security Benchmark to align with industry standards,https://docs.microsoft.com/azure/architecture/framework/Security/governance#evaluate-security-using-benchmarks,High,Application Design,Threat Analysis,70,"Benchmarking enables security program improvement by learning from external organizations. It lets the organization know how its current security state compares to that of other organizations. As an example, the Center for Internet Security (CIS) has created security benchmarks for Azure that map to the CIS Control Framework. Another reference example is the MITRE ATT&CK framework that defines the various adversary tactics and techniques based on real-world observations." -14fdfda4-dc7f-57d5-c7fb-a795c6887111,Security,WAF Assessment,Define security requirements for the workload,https://docs.microsoft.com/azure/governance/policy/concepts/azure-security-benchmark-baseline,High,Application Design,Threat Analysis,70,Azure resources should be blocked that do not meet the proper security requirements defined during service enablement. -26e13d6e-fecb-adc8-1f9d-06b5f0a4f439,Security,WAF Assessment,"Remove platform-specific information from HTTP headers, error messages, and web site content",https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#configuration-security,High,Application Design,Design,70,"Information revealing the application platform, such as HTTP banners containing framework information (""`X-Powered-By`"", ""`X-ASPNET-VERSION`""), are commonly used by malicious actors when mapping attack vectors of the application. HTTP headers, error messages, website footers etc. should not contain information about the application platform. Azure CDN or Cloudflare can be used to separate the hosting platform from end users, Azure API Management offers transformation policies that allow to modify HTTP headers and remove sensitive information." -30427daa-ea63-cdfe-fa35-a380514a6f19,Security,WAF Assessment,Define an access model for keys and secrets,https://docs.microsoft.com/azure/key-vault/general/secure-your-key-vault,High,Operational Procedures,Configuration & Secrets Management,70,Permissions to keys and secrets have to be controlled with an access model. -d85111b8-29fb-3085-e43f-240b7d757889,Security,WAF Assessment,"Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks",https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-classification,High,Security & Compliance,Encryption,70,Encrypting the virtual disk files helps prevent attackers from gaining access to the contents of the disk files in the event an attacker is able to download the files and mount the disk files offline on a separate system. -c57545aa-6466-0194-cc88-354d4e3a2ce3,Security,WAF Assessment,Deprecate legacy network security controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#discontinue-legacy-network-security-technology,High,Security & Compliance,Network Security,70,"Network-based Data Loss Prevention (DLP) is decreasingly effective at identifying both inadvertent and deliberate data loss. The reason for this is that most modern protocols and attackers use network-level encryption for inbound and outbound communications. While the organization can use 'SSL-bridging' to provide an 'authorized man-in-the-middle' that terminates and then reestablishes encrypted network connections, this can also introduce privacy, security and reliability challenges." -e50f8d39-61d6-e637-fc89-159fddfb2a52,Security,WAF Assessment,Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration,https://docs.microsoft.com/azure/architecture/framework/security/design-network-flow#data-exfiltration,High,Networking & Connectivity,Connectivity,70,NVA solutions and Azure Firewall (for supported protocols) can be leveraged as a reverse proxy to restrict access to only authorized PaaS services for services where Private Link is not yet supported. -6c40b02d-2f4e-3adf-dad5-d2a975d312a9,Security,WAF Assessment,Use NSG or Azure Firewall to protect and control traffic within VNETs,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,High,Networking & Connectivity,Connectivity,70,"If NSGs are being used to isolate and protect the application, the rule set should be reviewed to confirm that required services are not unintentionally blocked." -020f395e-1c06-144b-931a-82163917db09,Security,WAF Assessment,Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/,High,Operational Procedures,Configuration & Secrets Management,70,Managed Identities in Azure can be used to securely access Azure services while removing the need to store the secrets or certificates of Service Principals. -d0567f3b-6f76-b43e-00ac-eab78e22ebc4,Security,WAF Assessment,Integrate network logs into a Security Information and Event Management (SIEM),https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#leverage-native-detections-and-controls,High,Security & Compliance,Network Security,70,"Integrating logs from the network devices, and even raw network traffic itself, will provide greater visibility into potential security threats flowing over the wire." -466b1e14-814c-52f0-ba05-ebbf35f880d4,Security,WAF Assessment,Data in transit should be encrypted at all points to ensure data integrity,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit,High,Security & Compliance,Encryption,70,"When data is being transferred between components, locations, or programs, it's in transit. Data in transit should be encrypted using a common encryption standard at all points to ensure data integrity. For example: web applications and APIs should use HTTPS/SSL for all communication with clients and also between each other (in micro-services architecture). Determine if all components in the solution are using a consistent standard. There are times when encryption is not possible due to technical limitations, but the reason needs to be clear and valid." -4da348a1-535c-72f2-7912-014c5e1b192c,Security,WAF Assessment,Establish an incident response plan and perform periodically a simulated execution,https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf,High,Operational Procedures,Incident Response,70,Actions executed during an incident and response investigation could impact application availability or performance. It is recommended to define these processes and align them with the responsible (and in most cases central) SecOps team. The impact of such an investigation on the application has to be analyzed. -d7b41176-e25a-514a-af09-26cc2ce0d3e4,Security,WAF Assessment,Use penetration testing and red team exercises to validate security defenses for this workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,High,Deployment & Testing,Testing & Validation,70,"Real world validation of security defenses is critical to validate a defense strategy and implementation. Penetration tests or red team programs can be used to simulate either one time, or persistent threats against an organization to validate defenses that have been put in place to protect organizational resources." -13a05d38-c1af-5cff-3c2a-008bad17c440,Security,WAF Assessment,Establish a designated group responsible for central network management,https://docs.microsoft.com/azure/architecture/framework/security/design-segmentation#functions-and-teams,High,Security & Compliance,Network Security,70,"Centralizing network management and security can reduce the potential for inconsistent strategies that create potential attacker exploitable security risks. Because all divisions of the IT and development organizations do not have the same level of network management and security knowledge and sophistication, organizations benefit from leveraging a centralized network team's expertise and tooling." -67f90604-50ad-66b3-bfb6-b13251d68935,Security,WAF Assessment,Build a security containment strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Security & Compliance,Network Security,70,Assume breach is the recommended cybersecurity mindset and the ability to contain an attacker is vital to protect information systems. -db2bf032-cbe5-59fa-1eff-ec8994d3910f,Security,WAF Assessment,Evolve security beyond network controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#evolve-security-beyond-network-controls,High,Security & Compliance,Network Security,70,Traditional network controls based on a 'trusted intranet' approach will not be able to effectively provide security assurances for cloud applications. -e214da59-c51a-09f8-3b0b-b474397feabc,Security,WAF Assessment,Periodically perform external and/or internal workload security audits,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#review-critical-access,High,Security & Compliance,Compliance,70,"Compliance is important for several reasons. Aside from signifying levels of standards, like ISO 27001 and others, noncompliance with regulatory guidelines may bring sanctions and penalties." -c6d7ee61-b320-0a42-2a6e-ccde787776fd,Security,WAF Assessment,Develop a security plan,https://docs.microsoft.com/azure/cloud-adoption-framework/get-started/security#step-3-develop-a-security-plan,High,Application Design,Security Criteria & Data Classification,70,"A security plan should be part of the main planning documentation for the cloud. It should include several core elements including organizational functions, security skilling, technical security architecture and capabilities roadmap." -ce17c8f5-c50f-e83f-e7ad-2eee3076a6a9,Security,WAF Assessment,"Review, prioritize, and proactively apply security best practices to cloud resources",https://docs.microsoft.com/azure/architecture/framework/Security/governance#prioritize-security-best-practices-investments,High,Application Design,Security Criteria & Data Classification,70,Security best practices are ideally applied proactively and completely to all systems as the cloud workload is implemented. -24c4f75b-762c-efc4-33ab-6072de071622,Security,WAF Assessment,Establish lifecycle management policy for critical accounts,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#authorization-for-critical-accounts,High,Security & Compliance,Separation of duties,70,A compromise of an account in a role that is assigned privileges with a business-critical impact can be detrimental to organizational information systems and should therefore be closely monitored including a lifecycle process. -4038b9b1-ee3a-1af3-e409-c5e04daabfbf,Security,WAF Assessment,Designate the parties responsible for specific functions in Azure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-role-definitions,High,Operational Model & DevOps,Roles & Responsibilities,70,"Clearly documenting and sharing the contacts responsible for each of these functions will create consistency and facilitate communication. Examples of such contact groups include network security, network management, server endpoint security, incident response, policy management, identity." -67279fec-3043-577e-41d1-b4364f507f06,Security,WAF Assessment,Implement a solution to configure unique local admin credentials,https://docs.microsoft.com/azure/automation/update-management/overview,High,Operational Procedures,Patch & Update Process (PNU),70,Attackers constantly scan public cloud IP ranges for open management ports and attempt 'easy' attacks like common passwords and unpatched vulnerabilities. -a7a24707-9203-2086-f82d-c2d62380e6ea,Security,WAF Assessment,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage,High,Operational Procedures,Configuration & Secrets Management,70,"API keys, database connection strings and passwords are all sensitive to leakage, occasionally require rotation and are prone to expiration. Storing them in a secure store and not within the application code or configuration simplifies operational tasks like key rotation as well as improving overall security." -8e2d1d02-170c-3138-a2e8-214c7ecc178f,Security,WAF Assessment,Mitigate DDoS attacks,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#mitigate-ddos-attacks,High,Networking & Connectivity,Endpoints,70,"DDoS attacks can be very debilitating and completely block access to your services or even take down the services, depending on the type of DDoS attack." -230873a2-8e40-b6f9-d41a-8f4db533dc54,Security,WAF Assessment,Standardize on modern authentication protocols,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection,High,Security & Compliance,Authentication and authorization,70,Modern authentication protocols support strong controls such as Multi-factor Authentication (MFA) and should be used instead of legacy. -36ded80e-ba19-0d1c-9461-9d6e1172dd14,Security,WAF Assessment,Implement lifecycle management process for SSL/TLS certificates,https://docs.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates,High,Operational Procedures,Configuration & Secrets Management,70,Expired SSL/TLS certificates are one of the most common yet avoidable causes of application outages; even Azure and more recently Microsoft Teams have experienced outages due to expired certificates. -e20147e8-629b-c1b2-ab13-d6ed3f4bba12,Security,WAF Assessment,Maintain a list of frameworks and libraries as part of the application inventory,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,60,"As part of the workload inventory the application team should maintain a framework and library list, along with versions in use. Understanding of the frameworks and libraries (custom, OSS, 3rd party, etc.) used by the application and the resulting vulnerabilities is important." -889a660a-d770-5339-ba2c-0d9a278f6085,Security,WAF Assessment,Configure web apps to reuse authentication tokens securely and handle them like other credentials,https://docs.microsoft.com/azure/active-directory/develop/msal-acquire-cache-tokens,Medium,Security & Compliance,Authentication and authorization,60,"OAuth tokens are usually cached after they've been acquired. Application code should first try to get tokens silently from a cache before attempting to acquire a token from the identity provider, to optimize performance and maximize availability. Tokens should be stored securely and handled as any other credentials. When there's a need to share tokens across application servers (instead of each server acquiring and caching their own) encryption should be used." -7e82f7b6-7cac-48bc-e347-aa154a4c7bd6,Security,WAF Assessment,Ensure security team has Security Reader or equivalent to support all cloud resources in their purview,https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Medium,Security & Compliance,Control-plane RBAC,60,"Provide security teams read-only access to the security aspects of all technical resources in their purview. Security organizations require visibility into the technical environment to perform their duties of assessing and reporting on organizational risk. Without this visibility, security will have to rely on information provided from groups, operating the environment, who have a potential conflict of interest (and other priorities). Note that security teams may separately be granted additional privileges if they have operational responsibilities or a requirement to enforce compliance on Azure resources. For example in Azure, assign security teams to the Security Readers permission that provides access to measure security risk (without providing access to the data itself). Because security will have broad access to the environment (and visibility into potentially exploitable vulnerabilities), you should consider them critical impact accounts and apply the same protections as administrators." -050209de-804f-62a4-f051-5cdd896b0ea2,Security,WAF Assessment,Implement security playbooks for incident response,https://docs.microsoft.com/azure/security-center/workflow-automation,Medium,Operational Procedures,Incident Response,60,Incident responders are part of a central SecOps team and need to understand security insights of an application. Playbooks can help to understand the security concepts and cover the typical investigation activities. These procedures can and should be automated as much as possible (while maintaining confidence and security). -9869d213-1d48-6265-6b85-662696986065,Security,WAF Assessment,Synchronize on-premises directory with Azure AD,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems,Medium,Security & Compliance,Authentication and authorization,60,Consistency of identities across cloud and on-premises will reduce human errors and resulting security risk. Teams managing resources in both environments need a consistent authoritative source to achieve security assurances. -5ee838bc-e1ba-6549-c8c8-6171ff6104da,Security,WAF Assessment,Implement identity-based storage access controls,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#azure-encryption-features,Medium,Security & Compliance,Encryption,60,"Protecting data at rest is required to maintain confidentiality, integrity, and availability assurances across all workloads. Cloud service providers make multiple methods of access control available - shared keys, shared signatures, anonymous access, identity provider-based. Identity provider methods (such as AAD and RBAC) are the least liable to compromise and enable more fine-grained role-based access controls." -529ff108-f7d5-242d-117e-f0879c418d42,Security,WAF Assessment,"Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication",https://docs.microsoft.com/azure/architecture/framework/security/design-apps-considerations#use-azure-services-for-fundamental-components,Medium,Application Design,Design,60,"Developers should use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication instead of writing custom versions or third-party solutions that must be integrated into the cloud provider." -cb403a03-94b0-f7a7-376f-24893b1b33c1,Security,WAF Assessment,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#rollback-and-roll-forward,Medium,Deployment & Testing,Application Code Deployments,60,N-1 and N+1 refer to roll-back and roll-forward. Automated deployment pipelines should allow for quick roll-forward and roll-back deployments to address critical bugs and code updates outside of the normal deployment lifecycle. -3d488720-5e7c-e74f-ab7d-8f35c3717a1f,Security,WAF Assessment,Leverage a cloud application security broker (CASB),https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security,Medium,Networking & Connectivity,Data flow,60,"CASBs provide rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all Microsoft and third-party cloud services." -2cfdb2ed-210a-4aaa-a579-8b22ee14d6d1,Security,WAF Assessment,Configure and collect network traffic logs,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#enable-network-visibility,Medium,Networking & Connectivity,Connectivity,60,NSG flow logs should be captured and analyzed to monitor performance and security. The NSG flow logs enables Traffic Analytics to gain insights into internal and external traffic flows of the application. -8bab539e-5d69-2631-e554-744982536292,Security,WAF Assessment,Identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,Medium,Application Design,Threat Analysis,60,"Enterprise organizations typically have a large application portfolio. Have key business applications been identified and classified? This should include applications that have a high business impact if affected. Examples would be business critical data, regulated data, or business critical availability. These applications also might include applications which have a high exposure to attack such as public facing websites key to organizational success." -c637da15-1454-f1cb-bdde-3f60eb42c924,Security,WAF Assessment,Develop a security training program,https://www.microsoft.com/itshowcase/blog/how-microsoft-is-transforming-its-approach-to-security-training/,Medium,Operational Model & DevOps,Roles & Responsibilities,60,"Cybersecurity threats are always evolving and therefore those responsible for organizational information security require specialized, continual, and relevant training to ensure staff maintains the level of competency required to protect, detect, and respond." -39f99824-5553-412a-43e1-ecd5748822cd,Security,WAF Assessment,Regularly simulate attacks against critical accounts,https://docs.microsoft.com/azure/architecture/framework/Security/critical-impact-accounts#attack-simulation-for-critical-impact-accounts,Medium,Deployment & Testing,Testing & Validation,60,"People are a critical part of your defense, especially those with elevated permissions, so ensuring they have the knowledge and skills to avoid and resist attacks will reduce your overall organizational risk. Simulating attacks for educational purposes helps to enforce understanding of the various means that an attacker may use to compromise accounts. Tools such as Office 365 Attack Simulation or similar may be used." -50c27124-4bdb-c613-9e44-93faa39bd61c,Security,WAF Assessment,Design virtual networks for growth,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,Medium,Security & Compliance,Network Security,60,"Most organizations end up adding more resources to networks than initially planned. When this happens, IP addressing and subnetting schemes need to be refactored to accommodate the extra resources. This is a labor-intensive process. There is limited security value in creating a very large number of small subnets and then trying to map network access controls (such as security groups) to each of them." -50c92e40-3771-210d-3a31-0096068c1e7a,Security,WAF Assessment,Use standard and recommended encryption algorithms,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#standard-encryption-algorithms,Medium,Security & Compliance,Encryption,60,"Organizations should rarely develop and maintain their own encryption algorithms. Secure standards already exist on the market and should be preferred. AES should be used as symmetric block cipher, AES-128, AES-192 and AES-256 are acceptable. Crypto APIs built into operating systems should be used where possible, instead of non-platform crypto libraries. For .NET make sure you follow the .NET Cryptography Model." -04fa097e-d262-fc33-fdd4-ee39c57862dc,Security,WAF Assessment,Assign permissions based on management or resource groups,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#resource-based-authorization,Medium,Security & Compliance,Control-plane RBAC,60,"Custom resource-based permissions are often not needed and can result in increased complexity and confusion as they do not carry the intention to new similar resources. This then accumulates into a complex legacy configuration that is difficult to maintain or change without fear of ""breaking something"" - negatively impacting both security and solution agility. Higher level permissions sets - based on resource groups or management groups - are usually more efficient." -b15e70d8-6c03-30b6-e0a5-db464c830cd2,Security,WAF Assessment,"Add planning, testing, and validation rigor to the use of the root management group",https://docs.microsoft.com/azure/architecture/framework/security/design-management-groups#use-root-management-group-with-caution,Medium,Security & Compliance,Control-plane RBAC,60,"The root management group ensures consistency across the enterprise by applying policies, permissions, and tags across all subscriptions. This group can affect all resources in Azure and incorrect use can impact the security of all workloads in Azure." -8ee4eec3-0c5d-2685-4f3e-597ec7acefa5,Security,WAF Assessment,Use managed identity providers to authenticate to this workload,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,Medium,Security & Compliance,Authentication and authorization,50,"If possible, applications should utilize Azure Active Directory or other managed identity providers (such as Microsoft Account, Azure B2C...) to avoid managing user credentials with custom implementation. Modern protocols like OAuth 2.0 use token-based authentication with limited timespan, identity providers offer additional functionality like multi-factor authentication, password reset etc." -f8507020-2e5e-b559-94c3-9470d4f647ed,Security,WAF Assessment,Enforce password-less or Multi-factor Authentication (MFA),https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-passwordless-authentication,Medium,Security & Compliance,Authentication and authorization,50,Attack methods have evolved to the point where passwords alone cannot reliably protect an account. Modern authentication solutions including password-less and multi-factor authentication increase security posture through strong authentication. -93d7d399-a9ec-5141-c5af-e75fdaa773dd,Security,WAF Assessment,Identify technologies and frameworks used by the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Application Composition,50,All technologies and frameworks should be identified. Vulnerabilities of these dependencies must be understood (there are automated solutions on the market that can help: OWASP Dependency-Check or NPM audit). -8bcb252e-e184-1a5e-df05-7a1016710333,Security,WAF Assessment,Continuously assess and monitor compliance,https://docs.microsoft.com/azure/security-center/security-center-compliance-dashboard#assess-your-regulatory-compliance,Medium,Security & Compliance,Compliance,50,Continuously monitoring and assessing the workload increases the overall security and compliance of your workload in Azure. For example Azure Security Center provides a regulatory compliance dashboard. -044b5ce0-5579-0eed-0e6a-7dd2caa75188,Security,WAF Assessment,Use identity services instead of cryptographic keys when available,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#identity-based-access-control,Medium,Security & Compliance,Authentication and authorization,50,"Consideration should always be given to authenticating with identity services rather than cryptographic keys when available. Managing keys securely with application code is difficult and regularly leads to mistakes like accidentally publishing sensitive access keys to code repositories like GitHub. Identity systems (such as Azure Active Directory) offer secure and usable experience for access control with built-in sophisticated mechanisms for key rotation, monitoring for anomalies, and more." -ea5b15e4-51a3-ee6c-20ad-53037e1689ea,Security,WAF Assessment,Establish a designated point of contact to receive Azure incident notifications from Microsoft,https://docs.microsoft.com/azure/architecture/framework/Security/governance#assign-incident-notification-contact,Medium,Security & Compliance,Separation of duties,50,"Security alerts need to reach the right people in your organization. It is important to ensure a security contact receives Azure incident notifications, or alerts from Microsoft / Azure Security Center, such as a notification that your resource is compromised and/or attacking another customer." -56d18368-9fe8-6a9e-3ef9-60d29e382c13,Security,WAF Assessment,Restrict application infrastructure access to CI/CD only,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#application-deployment,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,"It is recommended to implement Infrastructure as Code, and to deploy application infrastructure via automation and CI/CD for consistency and auditability - the Portal should not be used by humans to deploy production workloads. To maximize application autonomy and agility, Portal or ad-hoc access can be permitted to less-critical development and test environments." -6f0e0aaf-5d8e-c1a6-2239-4ce74db581f9,Security,WAF Assessment,Make sure you understand the security features/capabilities available for each service and how they can be used in the solution,https://docs.microsoft.com/azure/architecture/framework/security/design-apps-services,Medium,Application Design,Application Composition,50,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the workload to host both application code and data. Selection should be made with security in mind." -2e77d6fd-fc48-88f6-4be9-01c1e8ecc39d,Security,WAF Assessment,Update frameworks and libraries as part of the application lifecycle,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,50,"Application frameworks are frequently provided with updates (e.g. security), released by the vendor or communities. Critical and important security patches need to be prioritized." -344a9b60-6836-f7bb-b3c1-ee0b485e6d2d,Security,WAF Assessment,Establish a SecOps team and monitor security related events,https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#incident-response,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Organization is monitoring the security posture across workloads and central SecOps team is monitoring security-related telemetry data and investigating security breaches. -da36b2e0-e810-cceb-cdf6-04d79d0fde79,Security,WAF Assessment,Establish process and tools to manage privileged access with just-in-time capabilities,https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#lower-exposure-of-privileged-accounts,Medium,Security & Compliance,Separation of duties,50,Zero-trust principle comes with the requirement of no standing access to an environment. Native and 3rd party solution can be used to elevate access permissions for at least highly privileged if not all activities. Azure AD Privileged Identity Management (Azure AD PIM) is the recommended and Azure native solution. -4459f091-da59-7898-19ee-ecb28a54f7df,Security,WAF Assessment,"Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload",https://docs.microsoft.com/azure/security/fundamentals/encryption-models,Medium,Operational Procedures,Configuration & Secrets Management,50,"Different approaches can be used by the workload team. Decisions are often driven by security, compliance and specific data classification requirements. Understanding these requirements is important to determine which key types are best suitable (MMK - Microsoft-managed Keys, CMK - Customer-managed Keys or BYOK - Bring Your Own Key)." -4548eb87-f972-d4a8-c201-be4f918dd1c1,Security,WAF Assessment,Implement role-based access control for application infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#roles-and-permission-assignment,Medium,Security & Compliance,Separation of duties,50,"Application roles and responsibility model need to be defined covering the different access level of each operational function (e.g publish production release, access customer data, manipulate database records). It's in the interest of the application team to include central functions (e.g. SecOps, NetOps, IAM) into this view." -eef69d34-2c58-e271-0533-d8fbf87e4a94,Security,WAF Assessment,Limit long-standing write access to production environments only to service principals,https://docs.microsoft.com/azure/architecture/framework/security/design-admins#no-standing-access--just-in-time-privileges,Medium,Operational Model & DevOps,Roles & Responsibilities,50,"Regular, long-standing write access to production environments by user accounts can pose a security risk and manual intervention is often prone to errors." -b34c46b3-7d64-3319-db13-dbfed240a993,Security,WAF Assessment,Implement resource locks to protect critical infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#management-locks,Medium,Security & Compliance,Control-plane RBAC,40,"Critical infrastructure typically doesn't change often. To prevent accidental/undesired modification of resources, Azure offers the locking functionality where only specific roles and users with permissions are able to delete/modify resources. Locks can be used on critical parts of the infrastructure, but special care needs to be taken in the DevOps process - modification locks can sometimes block automation." -27d45555-7231-9ec3-837d-a9a74d55f74d,Security,WAF Assessment,Implement defenses that detect and prevent commodity attacks,https://docs.microsoft.com/azure/architecture/framework/security/resilience#increasing-attacker-cost,Low,Application Design,Security Criteria & Data Classification,30,Cybersecurity attacks are planned and conducted by human attackers that must manage their return on investment into attacks (return could include profit or achieving an assigned objective). -e452487d-0fb5-b1ea-edc8-832ca6520f00,Security,WAF Assessment,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -debde980-76ba-4cb3-9958-18b2bd03043d,Security,WAF Assessment,"Define a process for aligning communication, investigation and hunting activities with the application team",https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Low,Health Modeling & Monitoring,Application Level Monitoring,30,Development team needs to be aware of those activities to align their security improvement activities with the outcome of those activities. -c965b63f-3652-cada-7fa4-9dd59ce4fb88,Security,WAF Assessment,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#internet-edge-traffic,Low,Networking & Connectivity,Endpoints,30,"CDNs store static files in locations that are typically geographically closer to the user than the data center. This increases overall application performance as latency for delivery and downloading these artifacts is reduced. Also, from a security point of view, CDNs can be used to separate the hosting platform from end users. Azure CDN contains a rule engine to remove platform-specific information and headers. The use of Azure CDN or 3rd party CDN will have different cost implications depending on what is chosen for the workload." -516b3380-e22f-7b52-bcfd-55a2e8955dbb,Cost Optimization,WAF Assessment,Right-size or shutdown underutilized virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -4ea26595-a832-e2ac-13c1-de2ac8b29341,Cost Optimization,WAF Assessment,Shut down VM instances not in use,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#shut-down-the-under-utilized-instances,High,Capacity & Service Availability Planning,Efficiency,70, -6993dcf5-3945-1e6a-53ce-f3e698eb7cfd,Cost Optimization,WAF Assessment,Consider reserved instances,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#reserved-vms,High,Application Design,Design,70, -6eadc494-85bf-11d6-4080-f27a9bf908bd,Cost Optimization,WAF Assessment,Consider VM Zone to Zone DR,https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery,High,Application Design,Design,70, -80bf0182-7b3e-8f4d-ed89-b48a7a0882d1,Cost Optimization,WAF Assessment,Organize data into access tiers,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/storage-options,High,Application Design,Application Composition,70, -e85bdf30-7547-8571-714b-3ab5f40b5d57,Cost Optimization,WAF Assessment,Set up a disaster recovery strategy that splits the application components and data into defined groups,https://azure.microsoft.com/en-us/solutions/backup-and-disaster-recovery/,High,Application Design,Design,70, -958b7d87-58bd-d2f3-3b3b-e3cbf0ea6b15,Cost Optimization,WAF Assessment,Mitigate DDoS attacks,https://azure.microsoft.com/services/ddos-protection/,High,Networking & Connectivity,Endpoints,70,Use Azure DDoS Protection Standard for critical workloads where outage would have business impact. Also consider CDN as another layer of protection. -ba50433c-ad1a-1fa4-0bc8-851ad4aa69ba,Cost Optimization,WAF Assessment,Understand the Azure services used and cost implications,https://docs.microsoft.com/azure/architecture/framework/cost/design-initial-estimate,Medium,Application Design,Application Composition,50,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the application platform to host both application code and data. In a discussion around cost, this can drive decisions towards the right replacements (e.g. moving from Virtual Machines to containers to increase efficiency, or migrating to .NET Core to use cheaper SKUs etc.)." -220905f9-4ad9-3e08-c9a7-534d2f253825,Cost Optimization,WAF Assessment,Understand the operational capabilities of Azure services,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Medium,Application Design,Application Composition,50,"Operational capabilities, such as auto-scale and auto-heal for App Services, can reduce management overheads, support operational effectiveness and reduce cost." -986b5e27-f49e-eb1f-d157-5aec2858012f,Cost Optimization,WAF Assessment,Learn if there are any discounts available for the services already in use,https://azure.microsoft.com/en-us/pricing/,Medium,Governance,Licensing,50,When alternative cost options are considered it should be understood first if any special offers or deals are given for the existing SKUs to verify that the correct prices are being used to build a business case. -7f57dc8b-3cd4-6226-5c94-2591914fa4db,Cost Optimization,WAF Assessment,Leverage the hybrid use benefit,https://azure.microsoft.com/en-us/pricing/hybrid-benefit/,Medium,Governance,Licensing,50,Understanding your current spending on licenses can help you drive down cost in the cloud. A-HUB allows you to reuse licenses that you purchased for on-premises in Azure and via this drive down the cost as the license is already paid. -95c2221f-4b23-fc56-c4fe-44970d4cf8c8,Cost Optimization,WAF Assessment,Assign a budget and spend limit to the workload,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert,Medium,Governance,Financial Management & Cost Models,50,For cost management it is recommended to have a budget even for the smallest services operated as that allows to track and understand the flow of the spend and also understand the impact of a smaller service in a bigger picture. -48b3746d-1a75-ca24-b5e2-94755c105ad4,Cost Optimization,WAF Assessment,Establish a cost owner for each service used by the workload,https://azure.microsoft.com/en-us/blog/how-to-optimize-your-azure-workload-costs-2/,Medium,Governance,Financial Management & Cost Models,50,Every service should have a cost owner that is tracking and is responsible for cost. This drives responsibility and awareness on who owns the cost tracking. -c937ee7c-bc71-7446-258c-7df7df44d612,Cost Optimization,WAF Assessment,Use cost forecasting for budget alignment,https://docs.microsoft.com/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal,Medium,Governance,Financial Management & Cost Models,50,In order to predict costs and trends it's recommended to use forecasting to be proactive for any spending that might be going up due to higher demand than anticipated. -dcfd400a-a7e9-0ffa-b524-07cefae672df,Cost Optimization,WAF Assessment,Consider multi-tenant or microservices scenarios when running multiple applications,https://azure.microsoft.com/en-us/solutions/microservice-applications/,Medium,Capacity & Service Availability Planning,Efficiency,50,"When running multiple applications (typically in multi-tenant or microservices scenarios) density can be increased by deploying them on shared infrastructure and utilizing it more. For example: Containerization and moving to Kubernetes (Azure Kubernetes Services) enables pod-based deployment which can utilize underlying nodes efficiently. Similar approach can be taken with App Service Plans. To prevent the 'noisy neighbour' situation, proper monitoring must be in place and performance analysis must be done (if possible)." -60fd90cc-111b-62bd-8d6f-607243cc0b4a,Cost Optimization,WAF Assessment,Understand how the budget is defined,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#revise-budgets,Medium,Governance,Culture & Dynamics,50,"It is important to have a clear understanding how an IT budget is defined. This is especially true for applications that are not built in-house, where IT budget has to be factored in as part of the delivery." -980897a0-ec50-cdb7-d390-e3132af0ef55,Cost Optimization,WAF Assessment,Have ongoing conversation between app owner and business,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reviews,Medium,Governance,Culture & Dynamics,50,Is what's delivered from IT and what the business is expecting from IT mapped to the cost of the application? -44abcd2d-8657-d50d-d13d-37a2e32cb3e7,Cost Optimization,WAF Assessment,Develop a plan to modernize the workload,https://docs.microsoft.com/dotnet/architecture/serverless/,Medium,Application Design,Design,50,"Is there a plan to change the execution model to Serverless? To move as far as you can up the stack towards cloud-native. When the workload is serverless, it's charged only for actual use, whereas whith traditional infrastructure there are many underlying things that need to be factored into the price. By applying an end date to the application it encourages you to discuss the goal of re-designing the application to make even better use of the cloud. It might be more expensive from an Azure cost point of view but factoring in other things like licenses, people, time to deploy can drive down cost." -f8588737-a597-44e9-5839-1206700a3115,Cost Optimization,WAF Assessment,Use RBAC to contol access to dashboards and data,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs#provide-the-right-level-of-cost-access,Medium,Health Modeling & Monitoring,Dashboarding,50,"Are the dashboards openly available in your organization or do you limit access based on roles etc.? For example: developers usually don't need to know the overall cost of Azure for the company, but it might be good for them to be able to watch a particular workload." -47e881ba-6e05-f7f9-7d20-3a92294faab6,Cost Optimization,WAF Assessment,Set up alerts for cost limits and thresholds,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#respond-to-alerts,Medium,Health Modeling & Monitoring,Alerting,50,"This is to ensure that if any budget is close to threshold, the cost owner gets notified to take appropriate actions on the change." -3566dbbc-7873-65c6-3c1a-678419dd70f7,Cost Optimization,WAF Assessment,Collect logs and metrics from Azure resources,https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-logs,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,In order to successfully maintain the application it's important to 'turn the lights on' and have clear visibility of important metrics both in real-time and historically. -69dca3f9-58c4-be70-663d-c1871807d7b2,Cost Optimization,WAF Assessment,Use ACM or other cost management tools,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports,Medium,Health Modeling & Monitoring,Dashboarding,50,"In order to track spending an ACM tool can help with understanding how much is spent, where and when. This helps to make better decisions about how and if cost can be reduced." -e585f168-7a45-f829-554a-df56c6556b77,Cost Optimization,WAF Assessment,Utilize the PaaS pay-as-you-go consumption model where relevant,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Operational Procedures,Operational Lifecycles,50,"To bring down cost the goal should be to get as many applications to only consume resources when they are used, this goes as an evolution from IaaS to PaaS to serverless where you only pay when a service I triggered. The PaaS and serverless might appear more expensive, but risk and other operational work is transferred to the cloud provider which should also be factored in as part of the cost (e.g. patching, monitoring, licenses)." -4c83ea66-5c04-c5ae-5f3c-ba9ac2a1d09b,Cost Optimization,WAF Assessment,Separate data and log disks,https://docs.microsoft.com/azure/virtual-machines/disks-enable-ultra-ssd,Medium,Application Design,Design,50, -729abfe9-3fc9-26c6-ec58-d1fb8de0e374,Cost Optimization,WAF Assessment,Define end-date for each environment,https://azure.microsoft.com/en-us/services/cost-management/,Medium,Operational Procedures,Operational Lifecycles,50,If your workload or environment isn't needed then you should be able to decommission it. The same should occur if you are introducing a new service or new feature. -a834f198-761f-1e92-aa6b-e95974b0aedc,Cost Optimization,WAF Assessment,Define critical system flows,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-critical-system-flows,Medium,Application Design,Key Scenarios,50,"Understanding critical system flows is vital to assessing overall operational effectiveness, and should be used to inform a health model for the application. It can also tell if areas of the application are over or under-utilized and should be adjusted to better meet business needs and cost goals." -b70f63dc-9892-9e16-158b-a182e0d555c2,Cost Optimization,WAF Assessment,Map application dependencies,https://docs.microsoft.com/azure/azure-monitor/app/app-map?tabs=net,Medium,Application Design,Dependencies,50,"Examples of typical dependencies include platform dependencies outside the remit of the application, such as Azure Active Directory, Express Route, or a central NVA (Network Virtual Appliance), as well as application dependencies such as APIs which may be in-house or externally owned by a third-party. For cost it's important to understand the price for these services and how they are being charged, this makes it easier to understanding an all-up cost. For more details see cost models." -657be5d2-48f4-c32f-8260-f9584f7efd5e,Cost Optimization,WAF Assessment,Understand cloud-native features and implement where possible,https://azure.microsoft.com/en-us/overview/cloudnative/,Medium,Application Design,Design,50,Understanding if the application is cloud-native or not provides a very useful high-level indication about potential technical debt for operability and cost efficiency. -370f5baa-0c12-9a77-b722-2773622c0b7f,Cost Optimization,WAF Assessment,Consider utilizing disk bursting,https://docs.microsoft.com/azure/virtual-machines/disk-bursting,Medium,Capacity & Service Availability Planning,Efficiency,50, -3060a206-88c0-0a45-223f-c0c390f94c51,Cost Optimization,WAF Assessment,Use Azure Advisor,https://docs.microsoft.com/azure/advisor/advisor-cost-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Azure Advisor helps to optimize and improve efficiency of the workload by identifying idle and under-utilized resources. It analyzes your configurations and usage telemetry and consolidates it into personalized, actionable recommendations to help you optimize your resources." -fb4e7ec6-1c31-4647-35cf-f9088fa95dbc,Cost Optimization,WAF Assessment,Review Azure Advisor recommendations periodically,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports#advisor-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Your underutilised resources need to be reviewed often in order to be identified and dealt with accordingly, in addition to ensuring that your actionable recommendations are up-to-date and fully optimized. For example, Azure Advisor monitors your virtual machine (VM) usage for 7 days and then identifies low-utilization VMs." -825d5301-ac47-78a1-d658-09b1c9f59450,Cost Optimization,WAF Assessment,Use developer SKUs for dev/test purposes,https://azure.microsoft.com/en-us/pricing/dev-test/,Medium,Deployment & Testing,Testing & Validation,50,"Special SKUs and subscription offers for development and testing purposes can save costs, but have to be used properly. Dev SKUs are not meant for production deployments." -ac7383b1-8e37-9eea-d1e2-9482692ecc93,Cost Optimization,WAF Assessment,The entire end-to-end CI/CD deployment process should be understood,https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/,Medium,Deployment & Testing,Application Code Deployments,50, -957016ae-54bb-e740-9c01-94cfeb612896,Cost Optimization,WAF Assessment,Select the right operating system,https://docs.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree,Medium,Capacity & Service Availability Planning,Efficiency,50,"Analyze the technology stack and identify which workloads are capable of running on Linux and which require Windows. Linux-based VMs and App Services are significantly cheaper, but require the app to run on supported stack (.NET Core, Node.js etc.)." -e24109c5-feef-3d6d-18fe-af669ae4159f,Cost Optimization,WAF Assessment,Understand the cost implications of Availability Zones,https://azure.microsoft.com/en-us/global-infrastructure/availability-zones/,Medium,Application Design,Design,50,"[Availability Zones](https://docs.microsoft.com/azure/availability-zones/az-overview#availability-zones) can be used to optimize application availability within a region by providing datacenter level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. It is also important to note that Availability Zones may introduce performance and cost considerations for applications which are extremely 'chatty' across zones given the implied physical separation between each zone and inter-zone bandwidth charges. That also means that AZ can be considered to get higher Service Level Agreement (SLA) for lower cost. Be aware of [pricing changes](https://azure.microsoft.com/pricing/details/bandwidth/) coming to Availability Zone bandwidth starting February 2021." -df15a1c7-22d9-f425-8269-59c6596040f0,Cost Optimization,WAF Assessment,Consider using Service Endpoints and Private Link,https://docs.microsoft.com/azure/private-link/private-endpoint-overview,Medium,Security & Compliance,Network Security,50,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints from only authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios)." -fe276258-5948-d7a5-7ce4-812457c04cf3,Cost Optimization,WAF Assessment,Be aware of cross-region data transfer costs,https://docs.microsoft.com/azure/architecture/framework/cost/provision-networking#peering,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -8fc4d6a0-13db-e40b-2e34-ef3f8fe41a9c,Cost Optimization,WAF Assessment,Use cost modeling to identify opportunities for cost reduction,https://docs.microsoft.com/azure/architecture/framework/cost/design-model,Medium,Governance,Financial Management & Cost Models,50,"Estimate and track costs, educate the employees about the cloud and various pricing models, have appropriate governance about expenditure." -62deac4b-816d-7d57-f8eb-797cf859215d,Cost Optimization,WAF Assessment,Be aware of cost implications of Web Application Firewall,https://azure.microsoft.com/pricing/details/web-application-firewall/,Medium,Networking & Connectivity,Endpoints,50,"There are cost implications to using Front Door with Web Application Firewall enabled, but it can save costs compared to using a 3rd party solution. Front Door has a good latency, because it uses unicast. If only 1 or 2 regions are required, Application Gateway can be used. There are cost implications of having a WAF - you should check pricing of hours and GB/s." -51135af9-11c5-2e3f-1f69-80c82fc26afe,Cost Optimization,WAF Assessment,Consider reserved capacity for Storage,https://docs.microsoft.com/azure/storage/blobs/storage-blob-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50, -984788bc-681e-3961-d04e-11bf70de16c3,Cost Optimization,WAF Assessment,Use data lifecycle policy,https://docs.microsoft.com/azure/storage/blobs/storage-lifecycle-management-concepts,Medium,Health Modelling & Monitoring,Resource and Infrastructure Level Monitoring,50, -e063778d-cbe4-1eb5-c8be-1af430d77a2a,Cost Optimization,WAF Assessment,Consider using shared disks for suitable workloads,https://docs.microsoft.com/azure/virtual-machines/disks-shared,Medium,Capacity & Service Availability Planning,Efficiency,50, -d07fcd1b-f98d-5408-96fd-a47e24c2a989,Cost Optimization,WAF Assessment,Consider using reserved Premium disks,https://docs.microsoft.com/azure/virtual-machines/disks-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50, -75fddb91-4c78-568c-9081-944b8bc7c45c,Cost Optimization,WAF Assessment,Use App Service Premium (v3) plan where possible,https://docs.microsoft.com/azure/app-service/app-service-configure-premium-tier,Medium,Application Design,Application Composition,50, -44dc812f-551d-1efd-b37b-4c2ac0149de6,Cost Optimization,WAF Assessment,Consider the cost of data transfers and make sure cross-region peering is used efficiently,https://azure.microsoft.com/en-us/pricing/details/bandwidth/,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -f9fbad76-fd17-8ded-616e-d839d1832860,Cost Optimization,WAF Assessment,Configure auto-scale policies for your workload (both in and out),https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,Medium,Application Design,Application Composition,50,Deliberate selection of resources and sizing is important to maintain efficiency and optimal cost. -2ab9009a-a1a8-3fb8-3d14-266e384b1f63,Cost Optimization,WAF Assessment,Prefer Microsoft backbone for networking,https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/,Medium,Networking & Connectivity,Connectivity,50,Are you closer to your users or on-prem? If users are closer to the cloud you should use MSFT (i.e. egress traffic). MPLS is when another service provider gives you the line. -92f730b8-fef8-d53c-c4a3-45a4b039ae94,Cost Optimization,WAF Assessment,Define a clear price model for individual services,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Capacity & Service Availability Planning,Efficiency,50,As part of driving a good behavior it's important that the consumer has understood why they are paying the price for a service and also that the cost is transparent and fair to the user of the service or else it can drive wrong behavior. -61b0cf0d-2897-77bf-9264-45b0d04e2beb,Cost Optimization,WAF Assessment,Define a naming convention,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -902ad36f-12f6-2be7-9fec-edb072076fff,Cost Optimization,WAF Assessment,Consider spot VMs,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#spot-vms,Low,Capacity & Service Availability Planning,Efficiency,30, -7eec1901-7e10-1be6-d18f-3aafc17d1927,Cost Optimization,WAF Assessment,Pause AKS clusters,https://docs.microsoft.com/azure/aks/start-stop-cluster,Low,Capacity & Service Availability Planning,Efficiency,30, -9bcf8efc-0a3f-cd36-6dbd-51959cc60f60,Cost Optimization,WAF Assessment,Consider B-series VMs,https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable,Low,Capacity & Service Availability Planning,Efficiency,30, -210ea96e-0665-29d2-10c6-18670eb9ec41,Cost Optimization,WAF Assessment,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -0cd8f9a9-2b72-6494-9b68-5800c49b5de2,Cost Optimization,WAF Assessment,Look for Public IPs and orphaned NICs,https://docs.microsoft.com/azure/virtual-machines/linux/find-unattached-nics,Low,Health Modelling & Monitoring,Resource and Infrastructure Level Monitoring,30, -921c2754-a600-c61e-ad1f-818613fed7d2,Operational Excellence,WAF Assessment,Use a log aggregation technology,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#collecting-and-storing-data,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,"Log aggregation technologies, such as Azure Log Analytics or Splunk, should be used to collate logs and metrics across all application components for subsequent evaluation. Resources may include Azure IaaS and PaaS services as well as 3rd-party appliances such as firewalls or anti-malware solutions used in the application. For instance, if Azure Event Hub is used, the [Diagnostic Settings](https://docs.microsoft.com/azure/event-hubs/event-hubs-diagnostic-logs) should be configured to push logs and metrics to the data sink. Understanding usage helps with right-sizing of the workload, but additional cost for logging needs to be accepted and included in the cost model." -a405b603-7a34-8241-49f8-22bb5f3240f3,Operational Excellence,WAF Assessment,Define a process for alert reaction,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-owners,Medium,Health Modeling & Monitoring,Alerting,50,"Instead of treating all alerts the same, there should be a well-defined process which determines what teams are responsible to react to which alert type." -aa643090-6e1c-e91f-14e8-6167a5bcceee,Operational Excellence,WAF Assessment,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#key-points,Medium,Operational Procedures,Configuration & Secrets Management,50,Application configuration information can be stored together with the application itself or preferably using a dedicated configuration management system like Azure App Configuration or Azure Key Vault. -28546d8f-334e-c237-7ea5-a5f792b1364f,Performance Efficiency,WAF Assessment,Identify sensible non-functional requirements,https://docs.microsoft.com/azure/architecture/performance/#general-best-practices,Medium,Application Design,Targets & Non-Functional Requirements,50,"Non-functional performance requirements, such as those relating to end-user experiences (e.g. average and maximum response times) are vital to assessing the overall health of an application, and is a critical lens required for assessing operations." -20906267-6633-1dcd-7638-e2b622bb9649,Performance Efficiency,WAF Assessment,Monitor how long it takes to scale against your targets,https://docs.microsoft.com,Medium,Application Performance Management,Elasticity,50,"Time to scale-in and scale-out can vary between Azure services and instance sizes and should be assessed to determine if a certain amount of pre-scaling is required to handle scale requirements and expected traffic patterns, such as seasonal load variations." -e148b05b-4bd3-eaa4-8677-86e60d72597d,Performance Efficiency,WAF Assessment,Leverage autoscaling to scale in and out as load varies,https://docs.microsoft.com/azure/architecture/best-practices/auto-scaling,Medium,Application Performance Management,Elasticity,50,Autoscaling can be leveraged to address unanticipated peak loads to help prevent application outages caused by overloading. -87d5e119-7d35-5e74-82fd-87ef83de429f,Performance Efficiency,WAF Assessment,Build a capacity model for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,"A capacity model should describe the relationships between the utilization of various components as a ratio, to capture when and how application components should scale-out." ------------,,,,,,,,, -,,,,,,,,, -17b97a38-8081-26b8-8666-a46b86c00cca,Security,Advisor,Have you done a threat analysis of your workload?,"Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.","Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.",,,, -3d04e335-68bb-afed-4aa1-b7d13488f5e9,Security,Advisor,Have you done a threat analysis of your workload?,"There's a process to track, triage and address security threats in the application development cycle.","There's a process to track, triage and address security threats in the application development cycle.",,,, -780d0947-4106-6977-02e5-bc68d110788c,Security,Advisor,Have you done a threat analysis of your workload?,Timelines and processess are established to deploy mitigations (security fixes) for identified threats.,,,,, -91dfc75e-4b71-389d-7ba6-0dd867eb52c7,Security,Advisor,Have you done a threat analysis of your workload?,Security requirements are defined for this workload.,,,,, -e2f16f71-53fc-79b5-6ea3-56b320c5b59d,Security,Advisor,Have you done a threat analysis of your workload?,Threat protection was addressed for this workload.,,,,, -ee2f750b-fdcf-0dda-0f83-f455f12bbe94,Security,Advisor,Have you done a threat analysis of your workload?,"Security posture was evaluated with standard benchmarks (CIS Control Framework, MITRE framework etc.).",,,,, -acb1c8a2-8f62-2bc8-0757-09bd6db7b3ca,Security,Advisor,Have you done a threat analysis of your workload?,"Business critical workloads, which may adversely affect operations if they are compromised or become unavailable, were identified and classified.",,,,, -cd2e0002-14df-53be-929c-019dfdde0d10,Security,Advisor,Have you done a threat analysis of your workload?,None of the above.,,,,, -7fb67b92-6637-9e67-6732-925fb2da4273,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Regulatory and governance requirements of this workload are known and well understood.,Regulatory and governance requirements of this workload are known and well understood.,,,, -f2d6ab05-09dc-1535-c5e1-a46eed5bb418,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,,,, -a17701fc-ea41-46cf-8c32-7bddece486ce,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Azure Policies are used to enforce and control security and organizational standards.,,,,, -18e123ce-89ed-dbb6-3a09-21bfacdacf4e,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Root management group is used and any changes that are applied using this group are carefully considered.,,,,, -c0a4a95d-3746-e8d3-283c-e5a2696b7813,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Compliance for this workload is systematically monitored and maintained. Regular compliance attestations are performed.,,,,, -beed6c77-e97a-b22f-016c-5040946b5223,Security,Advisor,What considerations for compliance and governance did you make in this workload?,External or internal audits of this workload are performed periodically.,,,,, -a9b2d924-7b14-2494-4f3d-6245c1810eb9,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Security plan for this workload was developed and is maintained.,,,,, -725cdf48-7dc8-cf5d-21e1-65d035f8859d,Security,Advisor,What considerations for compliance and governance did you make in this workload?,"Best practices and guidelines, based on industry recommendations, are reviewed and applied proactively.",,,,, -70131bfc-7fa3-d207-a1a0-d5ca33db4d49,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Attacker vs. defender costs are considered when implementing defenses. Easy and cheap attack methods are always prevented.,,,,, -2141b194-9fc8-ffe8-4365-203de3878d2c,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Attacker access containment is considered when making investments into security solutions.,,,,, -09ea03bf-2b74-d8eb-3626-423c956bab06,Security,Advisor,What considerations for compliance and governance did you make in this workload?,None of the above.,,,,, -1929c97c-7868-b7ad-9262-3f148be11701,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"A list of dependencies, frameworks and libraries used by this workload is maintained and updated regularly.",,,,, -162ea6ad-6106-0bd5-ec02-10c6e2c69805,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,Framework and library updates are included into the workload lifecycle.,,,,, -de7e0213-5e4d-1a8a-37aa-f30e60c53eb4,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"Technologies and frameworks used in this workload are fully understood, including their vulnerabilities.",,,,, -8a26d7f8-5a05-d9b2-9ed5-7c2dff3e569f,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"Security updates to VMs are applied in a timely manner, and strong passwords exist on those VMs for any local administrative accounts that may be in use.",,,,, -3b8fbbbb-86d2-ddd4-d469-c9a76851e336,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,All cloud services used by this workload are identified and it is understood how to configure them securely.,,,,, -885a6da8-39a2-3f0f-90ad-3c4a093d61b5,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"Personally identifiable information (PII) is detected and removed/obfuscated automatically for this workload, including application logs.",,,,, -e0ed3409-9c54-4c8f-1ee8-51d2b860e02f,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -9cf21509-91d3-57e1-b601-78cb750b78b9,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,Elevated security capabilities such as dedicated Hardware Security Modules (HSMs) or the use of Confidential Computing was implemented or considered implementing?,,,,, -a5406d8c-cebc-9ecf-0722-7b9568a466bf,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,None of the above.,None of the above.,,,, -7fcb4dcc-65f5-98a3-a6e1-1d788ba1e4b8,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Formal DevOps approach to building and maintaining software in this workload was adopted.,,,,, -b64e834e-b1e6-adde-1ae5-ea54c35863fe,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,"DevOps security guidance based on industry lessons-learned, and available automation tools (OWASP guidance, Microsoft toolkit for Secure DevOps etc.) is leveraged.",,,,, -e40889e8-a3b7-fa68-9724-95bc964c65c0,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Gates and approvals are configured in DevOps release process of this workload.,,,,, -257c40fc-e55c-f687-afea-0023e6fb0da2,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Security team is involved in planning, design and the rest of DevOps process of this workload.",,,,, -4dc27a63-42b9-d425-e409-49dd0fb64246,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Deployments are automated and it's possible to deploy N+1 and N-1 version (where N is the current production).,,,,, -5e885369-f711-0b31-f8bf-40b2b67c362b,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Code scanning tools are integrated as part of the continuous integration (CI) process for this workload and cover also 3rd party dependencies.,,,,, -ded9a841-6ffa-b463-df28-e76777fb4af7,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Credentials, certificates and other secrets are managed in a secure manner inside of CI/CD pipelines.",,,,, -e49846a5-ebf5-f6f3-4f59-d058f552730c,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Branch policies are used in source control management, main branch is protected and code reviews are required.",,,,, -1daa7ecb-5ac2-dfd4-2a08-01c2721412e9,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Security controls are applied to all self-hosted build agents used by this workload (if any).,,,,, -1b13031a-4787-7e46-40f7-9ea0e176e879,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,CI/CD roles and permissions are clearly defined for this workload.,,,,, -5e3879e2-4dc2-50ff-48ac-16c162a90954,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,None of the above.,None of the above.,,,, -fbcf30ab-8d3a-3172-46cb-553a7915a5fc,Security,Advisor,Is the workload developed and configured in a secure way?,Cloud services are used for well-established functions instead of building custom service implementations.,,,,, -ffee182e-ecd7-a512-71e5-b5070bc42f65,Security,Advisor,Is the workload developed and configured in a secure way?,Detailed error messages and verbose information are hidden from the end user/client applications. Exceptions in code are handled gracefully and logged.,,,,, -2d5b6cbc-869e-9c51-f52f-fdf270091686,Security,Advisor,Is the workload developed and configured in a secure way?,Platform specific information (e.g. web server version) is removed from server-client communication channels.,,,,, -fd4cc0db-5690-28ec-1776-481951b90a78,Security,Advisor,Is the workload developed and configured in a secure way?,CDN (content delivery network) is used to separate the hosting platform and end-users/clients.,,,,, -abb06d86-4f44-4b1a-e204-37459c8d96cb,Security,Advisor,Is the workload developed and configured in a secure way?,"Application configuration is stored using a dedicated configuration management system (Azure App Configuration, Azure Key Vault etc.)",,,,, -3e13c74d-c19e-f4ee-a3bc-c4c6110ec2fb,Security,Advisor,Is the workload developed and configured in a secure way?,"Access to data storage is identity-based, whenever possible.",,,,, -5d6302e8-202b-0f13-d357-d60f81654d9d,Security,Advisor,Is the workload developed and configured in a secure way?,Authentication tokens are cached securely and encrypted when sharing across web servers.,,,,, -5956b3c3-301a-5195-3a18-bd2c1abc220a,Security,Advisor,Is the workload developed and configured in a secure way?,There are controls in place for this workload to detect and protect from data exfiltration.,,,,, -20784133-cb96-1c32-9167-48f3f4c8a5df,Security,Advisor,Is the workload developed and configured in a secure way?,None of the above.,None of the above.,,,, -66846414-d112-1b9e-9543-829a521ac3db,Security,Advisor,How are you monitoring security-related events in this workload?,Tools like Azure Security Center are used to discover and remediate common risks within Azure tenants.,,,,, -6c669070-8613-dcdf-3542-f7c1b247da6b,Security,Advisor,How are you monitoring security-related events in this workload?,A central SecOps team monitors security related telemetry data for this workload.,,,,, -71621d9a-c7f7-d578-ce92-977f97cf7d08,Security,Advisor,How are you monitoring security-related events in this workload?,The security team has read-only access into all cloud environment resources for this workload.,,,,, -8dd14cc4-5385-470b-2923-0e2669903c54,Security,Advisor,How are you monitoring security-related events in this workload?,"The security team has access to and monitor all subscriptions and tenants that are connected to the existing cloud environment, relative to this workload.",,,,, -7676af6f-9c6d-0aad-96b1-70de579ec2ed,Security,Advisor,How are you monitoring security-related events in this workload?,Identity related risk events related to potentially compromised identities are actively monitored.,,,,, -b04a8c5f-b574-3c33-7876-bd29c4e9c790,Security,Advisor,How are you monitoring security-related events in this workload?,"Communication, investigation and hunting activities are aligned with the workload team.",,,,, -7a0e46b1-60f2-cb01-d05b-ae1e75dc53a5,Security,Advisor,How are you monitoring security-related events in this workload?,Periodic & automated access reviews of the workload are conducted to ensure that only authorized people have access?,,,,, -dd3cd59b-35bd-4e1d-b8c3-c464ad51feae,Security,Advisor,How are you monitoring security-related events in this workload?,Cloud application security broker (CASB) is leveraged in this workload.,,,,, -4b03d205-ac04-4699-ac32-ee9d7cf2c588,Security,Advisor,How are you monitoring security-related events in this workload?,A designated point of contact was assigned for this workload to receive Azure incident notifications from Microsoft.,,,,, -4f701c6e-381c-d12f-bfed-500b04f5cf59,Security,Advisor,How are you monitoring security-related events in this workload?,None of the above.,None of the above.,,,, -84d1b2ce-f621-d55e-7997-2357a54718af,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"For containerized workloads, Azure Defender (Azure Security Center) or other third-party solution is used to scan for vulnerabilities.",,,,, -6da1ef86-135c-7f14-030a-c4be6173f40e,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,Penetration testing is performed in-house or a third-party entity performs penetration testing of this workload to validate the current security defenses.,,,,, -230ee0e4-1ea4-4c6b-721d-0e8908f730cf,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"Simulated attacks on users of this workload, such as phishing campaigns, are carried out regularly.",,,,, -f9a1220e-b455-2da1-1067-9def12503633,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,Operational processes for incident response are defined and tested for this workload.,,,,, -9519b6ff-80f6-021d-1075-a86ff347dc4f,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"Playbooks are built to help incident responders quickly understand the workload and components, to mitigate an attack and do an investigation.",,,,, -cc3c0825-23f0-da09-4e59-9db4b670f004,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,There's a security operations center (SOC) that leverages a modern security approach.,,,,, -77a528bd-eda1-3cd0-e75e-48092da24056,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,A security training program is developed and maintained to ensure security staff of this workload are well-informed and equipped with the appropriate skills.,,,,, -1d817dad-eb58-dc07-5d11-8b6d769dab40,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,None of the above.,None of the above.,,,, -7fd9fc3b-325c-67e5-176c-1f4237937f19,Security,Advisor,How is connectivity secured for this workload?,"Services used by this workload, which should not be accessible from public IP addresses, are protected with network restrictions / IP firewall rules.",,,,, -fd742a02-36b4-7a13-a184-69cbd6684e74,Security,Advisor,How is connectivity secured for this workload?,Service Endpoints or Private Links are used for accessing Azure PaaS services.,,,,, -9a707379-435f-ff18-87c8-cc2b74b3eede,Security,Advisor,How is connectivity secured for this workload?,Azure Firewall or any 3rd party next generation firewall is used for this workload to control outgoing traffic of Azure PaaS services (data exfiltration protection) where Private Link is not available.,,,,, -1c3bfe77-9195-b660-0804-0ec02c3196c7,Security,Advisor,How is connectivity secured for this workload?,Network security groups (NSG) are used to isolate and protect traffic within the workloads VNet.,,,,, -4bbf5a29-3c18-397c-08ca-ae172a940b7c,Security,Advisor,How is connectivity secured for this workload?,NSG flow logs are configured to get insights about incoming and outgoing traffic of this workload.,,,,, -79ad30ed-b521-ad28-01c1-3f0fe2e931fe,Security,Advisor,How is connectivity secured for this workload?,"Access to the workload backend infrastructure (APIs, databases, etc.) is restricted to only a minimal set of public IP addresses - only those who really need it.",,,,, -d938d654-4d6d-3045-5b82-cc7a80544136,Security,Advisor,How is connectivity secured for this workload?,Identified groups of resources are isolated from other parts of the organization to aid in detecting and containing adversary movement within the enterprise.,,,,, -f2409c9b-90b6-54cd-81c5-ee12e2e32596,Security,Advisor,How is connectivity secured for this workload?,"All public endpoints of this workload are protected/secured with appropriate solution (i.e. Azure Front Door, Azure Firewall...).",,,,, -bc750e9d-343c-9164-2326-cbc6460801e8,Security,Advisor,How is connectivity secured for this workload?,"Publishing methods for this workload (e.g FTP, Web Deploy) are protected.",,,,, -10831644-0c0e-7f92-4857-5097ed277fab,Security,Advisor,How is connectivity secured for this workload?,Code is published to this workload using CI/CD process instead of manually.,,,,, -f123c735-e9a7-ad49-e73d-98a21d3f631a,Security,Advisor,How is connectivity secured for this workload?,"Workload virtual machines running on premises or in the cloud don't have direct internet connectivity for users that may perform interactive logins, or by applications running on virtual machines.",,,,, -00f0c7fe-be07-d9ca-4ab8-7dbde220c20a,Security,Advisor,How is connectivity secured for this workload?,There's a capability and plans in place to mitigate DDoS attacks for this workload.,,,,, -a64d0af3-01ff-f9e0-df3d-c0b5ea478e58,Security,Advisor,How is connectivity secured for this workload?,None of the above.,None of the above.,,,, -aef28f02-d7fa-4f98-8ecd-e41f914815c9,Security,Advisor,How have you secured the network of your workload?,"There's a designated group within the organization, which is responsible for centralized network management security of this workload.",,,,, -6d6848da-af07-d944-97ff-78cda7595ff7,Security,Advisor,How have you secured the network of your workload?,"There are controls in place to ensure that security extends past the network boundaries of the workload in order to effectively prevent, detect, and respond to threats.",,,,, -d3ac057b-883d-4916-5edd-e4bb968744a2,Security,Advisor,How have you secured the network of your workload?,Enhanced network visibility is enabled by integrating network logs into a Security information and event management (SIEM) solution or similar technology.,,,,, -507bf4a6-5e01-bd2c-253d-941e87851020,Security,Advisor,How have you secured the network of your workload?,Cloud virtual networks are designed for growth based on an intentional subnet security strategy.,,,,, -bd0c4e5e-830b-2176-3adc-0e16b4559dd4,Security,Advisor,How have you secured the network of your workload?,"This workload has a security containment strategy that blends existing on-premises security controls and practices with native security controls available in Azure, and uses a zero-trust approach.",,,,, -a6748cc5-3f6b-6328-589d-2243bf023c9a,Security,Advisor,How have you secured the network of your workload?,Legacy network security controls for data loss prevention were deprecated.,,,,, -61f5e443-3652-7cf3-d91c-dc3938ecb6a7,Security,Advisor,How have you secured the network of your workload?,"Traffic between subnets, Azure components and tiers of the workload is managed and protected.",,,,, -258e57dd-dba4-a82e-116e-bdb5d4f8ae9e,Security,Advisor,How have you secured the network of your workload?,None of the above.,None of the above.,,,, -cb625627-8173-0646-8ebb-0d21a5d994c1,Security,Advisor,How are you managing encryption for this workload?,The workload uses industry standard encryption algorithms instead of creating own.,,,,, -f692acbf-2d90-50ba-ece2-cd4dd057edc3,Security,Advisor,How are you managing encryption for this workload?,The workload communicates over encrypted (TLS / HTTPS) network channels only.,,,,, -68d87aa0-af61-ab56-9c05-d8719bff63f4,Security,Advisor,How are you managing encryption for this workload?,TLS 1.2 or 1.3 is used by default across this workload.,,,,, -63507301-6e72-25d9-1432-cd671907ba1e,Security,Advisor,How are you managing encryption for this workload?,Secure modern hashing algorithms (SHA-2 family) are used.,,,,, -30ab4ac2-c40d-9681-3749-d9911aa8ae68,Security,Advisor,How are you managing encryption for this workload?,Data at rest is protected with encryption.,,,,, -3b57a858-89c6-98f1-3835-bc473fdc5b5d,Security,Advisor,How are you managing encryption for this workload?,Data in transit is encrypted.,,,,, -4464f946-9d28-9030-9ef6-8dbe0f87fdfe,Security,Advisor,How are you managing encryption for this workload?,Virtual disk files for virtual machines which are associated with this workload are encrypted.,,,,, -94090d63-2307-7752-cd9a-8ca043e3b4c2,Security,Advisor,How are you managing encryption for this workload?,None of the above.,None of the above.,,,, -a987603e-4918-6631-3126-de87ce686991,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",There's a clear guidance or requirement on what type of keys (PMK - Platform Managed Keys vs. CMK - Customer Managed Keys) should be used for this workload.,,,,, -b504cd36-8c45-8ab6-ca80-bfbd29d695c4,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?","Passwords and secrets are managed outside of application artifacts, using tools like Azure Key Vault.",,,,, -2d661770-8a40-fbb9-9e7d-b75ad6db49ae,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",Access model for keys and secrets is defined for this workload.,,,,, -64932c3a-33dd-5491-fe42-904cc7705850,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",A clear responsibility / role concept for managing keys and secrets is defined for this workload.,,,,, -983ec8a8-6344-035a-ad54-4edbc0db9e6b,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",Secret/key rotation procedures are in place.,,,,, -8706ce30-8521-756a-5293-067baf264ba1,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",Expiry dates of SSL/TLS certificates are monitored and there are renewal processes in place.,,,,, -fd93500b-7ea3-5be0-2e11-d4d218a99db7,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",None of the above.,None of the above.,,,, -e95a4dce-f3b8-7bf7-5bad-53b4e6a33ed8,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,There are tools and processes in place to grant just-in-time access.,,,,, -0c318fe8-b4cc-e2c7-3e64-714ccf05b76d,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,No user accounts have long-standing write access to production environments.,,,,, -baf1db81-9d94-b576-f11d-dcdad966db3a,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Appropriate emergency access accounts are configured for this workload in case of an emergency.,,,,, -ee25dc2a-09e5-20b9-77e3-a71f7619baaa,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Lines of responsibility and designated responsible parties were clearly defined for specific functions in Azure.,,,,, -9d71072c-146d-56c9-ccf4-d901861fc4de,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,The application team has a clear view on responsibilities and individual/group access levels for this workload.,,,,, -4a4cb08c-56ba-ff65-7e81-acb6f64d8267,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Workload infrastructure is protected with role-based access control (RBAC).,,,,, -776f3694-f14d-72a4-fc21-24a8aa37f796,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Resource locks are leveraged to protect critical infrastructure of this workload.,,,,, -7bdbb199-f2db-9b4d-5301-ca171b7dcbc3,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,"Direct access to the infrastructure through Azure Portal, command-line Interface (CLI) or REST API is limited and CI/CD is preferred.",,,,, -02aeba1c-d1fe-1e24-7a1d-c257b5cdc970,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Permissions to Azure workloads are rarely based on individual resources and custom permissions are rarely used.,,,,, -2456d9e7-3dd0-ccea-acc1-d762580f3b73,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,There are processes and tools being used to manage privileged activities. Long standing administrative access is avoided whenever possible.,,,,, -5a6c1bbf-8162-f11c-6049-2d8c4676e76b,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,There is a lifecycle management policy for critical accounts in this workload and privileged accounts are reviewed regularly.,,,,, -4c594b73-6a46-602e-c0ea-a49b2347912b,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,None of the above.,None of the above.,,,, -0202b627-b703-4c2f-d5dc-42c659b48f17,Security,Advisor,How are you managing identity for this workload?,When communicating with Azure platform services managed identities are preferred over API keys and connection strings.,,,,, -cb975be0-1113-d336-ab83-32f726694dca,Security,Advisor,How are you managing identity for this workload?,All APIs in this workload require clients to authenticate.,,,,, -e1595b14-8398-7af3-2850-4f179f721d59,Security,Advisor,How are you managing identity for this workload?,"Modern authentication protocols (OAuth 2.0, OpenID) are used by this workload.",,,,, -2e5e1251-4bee-d4aa-8622-73ce2d25f0ee,Security,Advisor,How are you managing identity for this workload?,"Azure Active Directory or other managed identity provider (Microsoft Account, Azure B2C etc.) is used for user authentication.",,,,, -4d564aea-e6f4-1811-de6a-c83cebfc5496,Security,Advisor,How are you managing identity for this workload?,Authentication via identity services is prioritized for this workload vs. cryptographic keys.,,,,, -776601f7-4286-8e2d-e021-df7de0bfe390,Security,Advisor,How are you managing identity for this workload?,Conditional access policies are implemented for users of this workload.,,,,, -abb83e16-2760-8498-e332-e5874f13a7d5,Security,Advisor,How are you managing identity for this workload?,Password-less or multi-factor authentication (MFA) is enforced for users of this workload.,,,,, -24152878-34f8-498d-ac3a-879fdd7d33de,Security,Advisor,How are you managing identity for this workload?,Current on-premises Active Directory is synchronized with Azure AD or other cloud identity system.,,,,, -afc09eb6-313b-5e74-9a60-19486ace55e0,Security,Advisor,How are you managing identity for this workload?,None of the above.,None of the above.,,,, -8fa8053d-adf2-a3ce-cb08-e2c4636db28a,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Cloud costs are being modelled for this workload.,,,,, -92eb54e9-6b28-7f97-8e08-f27ebca01bb2,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,The price model of the workload is clear.,,,,, -007ab17e-d787-4f9e-06de-c8813682071f,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Critical system flows through the application have been defined for all key business scenarios.,,,,, -c98e4398-6595-7a8e-dfa4-620da450e684,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,There is a well-understood capacity model for the workload.,,,,, -79617aff-2e20-d8e0-35e7-a93f27fa7f72,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Internal and external dependencies are identified and cost implications understood.,,,,, -a80d39c2-86aa-e370-e740-bfb490d11fa7,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Cost implications of each Azure service used by the application are understood.,,,,, -e6de9af4-c273-ee00-10e3-def2f82951b4,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,The right operational capabilities are used for Azure services.,,,,, -093c763f-afa3-2f3f-db3e-3c11aedac2c3,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Special discounts given to services or licenses are factored in when calculating new cost models for services being moved to the cloud.,,,,, -91e065b5-36f1-bccc-b485-e119f7e831c8,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Azure Hybrid Use Benefit is used to drive down cost in the cloud.,,,,, -8e3f221d-2a33-8976-ca2f-89f97a2da464,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,None of the above.,None of the above.,,,, -422350e3-3409-50f1-2f8a-e12efab260b5,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Budgets are assigned to all services in this workload.,,,,, -b8bff044-7048-aa72-7ed5-3a4b26091785,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a cost owner for every service used by this workload.,,,,, -af727fc7-1954-69db-3faf-2f3a37b4e684,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Cost forecasting is done to ensure it aligns with the budget.,,,,, -1f56ec95-427f-a98e-e279-980eaf311667,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a monthly or yearly meeting where the budget is reviewed.,,,,, -86a0d4bb-0313-49b7-fba5-a1d8fb4dd79c,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Every environment has a target end-date.,,,,, -0b5b93b1-1c1a-6922-ad11-05d4ec55d3d8,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Every environment has a plan for migrating to PaaS or serverless to lower the all up cost and transfer risk.,,,,, -50814dfd-e567-69e8-24bc-93ad9af203c7,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a clear understanding of how budget is defined.,,,,, -5275006f-af1d-b7c0-3f4d-6ea765693160,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Budget is factored into the building phase.,,,,, -c89f60e9-c2c9-82c5-4831-da970e3e3db6,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is an ongoing conversation between the app owner and the business.,,,,, -ae165e0b-2d30-1f72-b463-7be6a01a3275,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a plan to modernize the workload.,,,,, -bc6a8bef-632d-3abc-34df-4fe79bc8528a,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -1c1b2a1d-cbd0-2be6-93da-17ede1bbcd2e,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,The application has a well-defined naming standard for Azure resources.,,,,, -de966b37-3d2f-0dbc-9f82-c1b9ec999ffb,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,,,, -73d70b97-a6f5-8e77-1451-d81a6faac788,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,None of the above.,None of the above.,,,, -e1cedccf-6182-7424-a06a-383f71ed4a5b,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Alerts are set for cost thresholds and limits.,,,,, -0dbe824b-4a11-f1e9-2d1b-e6c7c673e831,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Specific owners and processes are defined for each alert type.,,,,, -bf26c15d-b187-3b50-5ad0-8b0c2c48b4bb,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,,,, -9acaee33-5b77-4bb9-54e3-c0823ce37599,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Cost Management Tools (such as Azure Cost Management) are being used to track spending in this workload.,,,,, -6fe148cc-0ab5-3247-1950-bb1ded7d0bc7,Cost Optimization,Advisor,How are you monitoring costs of this workload?,None of the above.,None of the above.,,,, -8ed1c3c6-fab1-2a6e-f0d7-071860baf21b,Cost Optimization,Advisor,How do you optimize the design of this workload?,The application was built natively for the cloud.,,,,, -0df7b80b-8b17-3176-6fa6-9e5d0563c01e,Cost Optimization,Advisor,How do you optimize the design of this workload?,There is an availability strategy defined and cost implications of it are understood.,,,,, -b0003b70-abe8-614a-90ef-4a9dc3f217ee,Cost Optimization,Advisor,How do you optimize the design of this workload?,This workload benefits from higher density.,,,,, -ec7293ec-ea2a-f8c3-641c-bf244501b51d,Cost Optimization,Advisor,How do you optimize the design of this workload?,Data is being transferred between regions.,,,,, -5747cc88-91ac-8de8-90fa-a7ac12f5ddf9,Cost Optimization,Advisor,How do you optimize the design of this workload?,Multi-region deployment is supported and cost implications understood.,,,,, -d94fbe9d-1e49-e3a4-42f2-ddd50fed1794,Cost Optimization,Advisor,How do you optimize the design of this workload?,The workload is designed to use Availability Zones within a region.,,,,, -0a55d285-1f5f-21b7-58e4-a15ee99028b5,Cost Optimization,Advisor,How do you optimize the design of this workload?,None of the above.,None of the above.,,,, -10a67868-8c5b-7ea4-5ba2-1db0e229a6c7,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Performance requirements are well-defined.,,,,, -c1c2b95d-8f7c-55c5-f9b1-48b3ecc39e96,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Targets for the time it takes to perform scale operations are defined and monitored.,,,,, -d96a58bc-10ab-d5f2-c7a9-c8c2aa87d648,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,The workload is designed to scale independently.,,,,, -ae2a33e1-6db1-0f79-e03a-fe4f47a73b6b,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,The application has been designed to scale both in and out.,,,,, -b3c5c41d-339a-235e-9052-4bea6a136a4b,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Application components and data are split into groups as part of your disaster recovery strategy.,,,,, -7de75b9d-6d23-bee2-f8c5-a48214be296d,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Tools (such as Azure Advisor) are being used to optimise SKUs discovered in this workload.,,,,, -85b03460-87a4-1524-27ac-5ab8fe5d20b2,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Resources are reviewed weekly or bi-weekly for optimization.,,,,, -2f7d2d58-2e95-23ef-3f6e-a6ed0d35e83e,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Cost-effective regions are considered as part of the deployment selection.,,,,, -c31c274b-8b52-732e-37f2-eb927a5c72da,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Dev/Test offerings are used correctly.,,,,, -d8bff63b-3533-9996-5b6f-f479ebce8afc,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Shared hosting platforms are used correctly.,,,,, -ea8bec59-0284-205d-bbb6-af3e7a6c9c5a,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,None of the above.,None of the above.,,,, -2d4fe70f-b69f-3df7-4e28-d95eaea77c8b,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is an automated process to deploy application releases to production.,,,,, -9cfbd0b0-3299-410f-0f6b-5bb791411819,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is a difference in configuration for production and non-production environments.,,,,, -6e4410ac-b439-9ade-5031-2d59742d453a,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,Test-environments are deployed automatically and deleted after use.,,,,, -054b89b3-40b1-35c5-0671-485b97904bfb,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,,,, -294e6c64-eca1-ee77-555e-45c8dab66cab,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is awareness regarding the ratio of cost of production and non-production environments for this workload.,,,,, -2d37b9d8-50c1-8c56-314c-48d7a32d0449,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,None of the above.,None of the above.,,,, -12c988e5-c56c-1373-a903-deae63450b34,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Appropriate SKUs are used for workload servers.,,,,, -6e316454-4e2c-d4cd-5a47-67a4101241dc,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Appropriate operating systems are used in the workload.,,,,, -214453fc-7206-dd4f-e626-fcc15b9d098e,Cost Optimization,Advisor,How do you manage compute costs for this workload?,A recent review of SKUs that could benefit from Reserved Instances for 1 or 3 years or more has been performed.,,,,, -77ff5671-75af-ae73-224f-bc85b91f083f,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Burstable (B) series VM sizes are used for VMs that are idle most of the time and have high usage only in certain periods.,,,,, -113bda12-28ca-ecb0-85c9-8fdd2c38544e,Cost Optimization,Advisor,How do you manage compute costs for this workload?,VM instances which are not used are shut down.,,,,, -9ae1855c-395c-e98e-ea86-ffede1e35209,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Spot virtual machines are used.,,,,, -e08c6da1-8909-9df4-5aa8-ddffe93db8ed,Cost Optimization,Advisor,How do you manage compute costs for this workload?,PaaS is used as an alternative to buying virtual machines.,,,,, -7426d8dd-df3f-84f2-6bb2-ec97497f4f3b,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Costs are optimized by using the App Service Premium (v3) plan over the Premium (Pv2) plan.,,,,, -32575008-9f43-e764-1491-15a6da2ee498,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Zone to Zone disaster recovery is used for virtual machines.,,,,, -3b81fe72-3d39-3846-53a7-f5379f377e52,Cost Optimization,Advisor,How do you manage compute costs for this workload?,The Start/Stop feature in Azure Kubernetes Services (AKS) is used.,,,,, -d37fb652-1a0b-d9c4-4902-615bf584f00b,Cost Optimization,Advisor,How do you manage compute costs for this workload?,None of the above.,None of the above.,,,, -c9af77f7-eb3c-496d-a47d-05c96d5c8776,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Service Endpoints or Private Link are used for accessing Azure PaaS services.,,,,, -b90afaff-2da8-3042-2fc8-71e4c4e2697a,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Hub and spoke design pricing is understood.,,,,, -13720def-a339-d9dd-d120-6bde319dff18,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Microsoft backbone network is preferred.,,,,, -f01899e1-424e-646d-e30b-20e561aa64fe,Cost Optimization,Advisor,How do you manage networking costs for this workload?,DDoS attack mitigation plans and capabilities are in place.,,,,, -bf23c3c7-6323-2fde-2360-d61335db8582,Cost Optimization,Advisor,How do you manage networking costs for this workload?,"Azure Front Door, Azure App Gateway or Web Application Firewall is used.",,,,, -9a52ddd1-6a46-8e6d-5526-9cba71f6c201,Cost Optimization,Advisor,How do you manage networking costs for this workload?,The workload is connected between regions (using network peering or gateways).,,,,, -9eb845a8-d7df-3032-c23d-c5119a7f09e8,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Azure resources are connecting to the internet via on-premises.,,,,, -603a73d8-93e3-74a9-4c39-4f75383e10b6,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Public IPs and orphaned NICs are regularly cleaned up.,,,,, -a6cbcefe-6dd2-ef1f-cea5-a7bb944b4bfd,Cost Optimization,Advisor,How do you manage networking costs for this workload?,None of the above.,None of the above.,,,, -cf9fb025-ef60-3cc6-edac-5d9246617fd5,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Reserved capacity is used for data in block blob storage.,,,,, -74d17179-274b-06b3-ebc2-ffe4b1f4c998,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Data is organized into access tiers.,,,,, -3784623b-15e8-212b-2b9f-58c427da0c00,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Life-cycle policy is used to move data between access tiers.,,,,, -892ee65e-3511-5be3-7dc5-27c87e4d2818,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Shared disks are leveraged for suitable workloads.,,,,, -7242ce64-221c-3280-ad61-0a531582bbec,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Reserved premium disks (P30 & above) are used.,,,,, -9c795df2-b2a8-aa9e-b351-05e8a6af505e,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Bursting for P20 and below disks is utilized for suitable workloads.,,,,, -fb6c72b8-d703-3279-4bae-83b33269f4b1,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,"For database workloads, data and log files are stored on separate disks.",,,,, -38860e0e-bf61-16dd-140b-7c677d41c56c,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,"Unused storage resources (e.g. unattached disks, old snapshots) are periodically cleaned up.",,,,, -b60fbb04-6a97-8bc7-150c-979223664296,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Selective disk backup and restore for Azure VMs is used.,,,,, -208e46e8-fde8-313b-9b84-d33d637d6629,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,None of the above.,None of the above.,,,, \ No newline at end of file diff --git a/WARP/devops/testing/second-run.csv b/WARP/devops/testing/second-run.csv deleted file mode 100644 index 3eaf0f3..0000000 --- a/WARP/devops/testing/second-run.csv +++ /dev/null @@ -1,399 +0,0 @@ -second-run,,,,,,,,, -,,,,,,,,, -Recommendations for your workload,,,,,,,,, -Your overall results,Critical,'2/100',,,,,,, -Security,Critical,'4/100',,,,,,, -Cost Optimization,Critical,'0/100',,,,,,, -Reliability,Not assessed,,,,,,,, -Operational Excellence,Not assessed,,,,,,,, -Performance Efficiency,Not assessed,,,,,,,, -,,,,,,,,, -Next Steps,,,,,,,,, -Review identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,,,,,,,, -Review prefer identity authentication over keys,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,,,,,,,, -Implement resource tagging,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,,,,,,,, -,,,,,,,,, -ID,Category,Source,Link-Text,Link,Priority,ReportingCategory,ReportingSubcategory,Weight,Context -125058ca-ff29-9d34-3733-61d22eb17474,Security,Advisor,DUP- Storage account should use a private link connection for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -dbaee9ac-f6f8-9c2c-c780-253ebc7dbb40,Security,Advisor,Log Analytics agent should be installed on your virtual machine for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -173f859e-f870-95af-5abe-703eb8788513,Security,Advisor,DUP- Management ports of virtual machines should be protected with just-in-time network access control for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -59467113-5328-c100-914e-cd3d4f96a19d,Security,Advisor,Secure transfer to storage accounts should be enabled for 3 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -61b0356a-6307-f4d5-632a-f177b6f1d9cc,Security,Advisor,DUP- Azure Defender for DNS should be enabled for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -a21e887a-9ae0-e47f-71b3-522aad0b28bf,Security,Advisor,Azure Defender for Resource Manager should be enabled for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -6f8f8901-677b-3158-379b-30fd6b5c3525,Security,Advisor,DUP- There should be more than one owner assigned to your subscription for 1 Subscription(s),https://aka.ms/azure-advisor-portal,High,,,0, -05ff61db-0481-76a1-230f-16a4e87b5619,Security,Advisor,All network ports should be restricted on network security groups associated to your virtual machine for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -f21895de-63e2-9727-137a-3de5052bf9ef,Security,Advisor,DUP- Adaptive network hardening recommendations should be applied on internet facing virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -96cf2977-fb41-790c-538b-cb3719b0e15a,Security,Advisor,"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources for 1 Virtual machine(s)",https://aka.ms/azure-advisor-portal,High,,,0, -d8c34f38-392f-af30-c86e-cf5e28e929e0,Security,Advisor,DUP- Management ports should be closed on your virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -e2982341-fad6-bf79-8817-e6d5be31c95d,Security,Advisor,A vulnerability assessment solution should be enabled on your virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -87b9ae29-bdca-03b6-9c4d-f3a43726beeb,Security,Advisor,DUP- Storage accounts should restrict network access using virtual network rules for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -f4807ff2-fff0-f485-b8c7-c26151ef9db4,Security,Advisor,Network traffic data collection agent should be installed on Linux virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -2ef5e00d-d9f4-d7fd-3c5e-96dcdf9a66fa,Security,Advisor,DUP- Private endpoint should be enabled for MySQL servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -5fa6d457-918b-016a-28d4-65aaed63dee7,Security,Advisor,Public network access should be disabled for MySQL servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -0584c527-318d-8e19-e66d-f2fb35b50858,Security,Advisor,DUP- Storage account public access should be disallowed for 4 Storage Account(s),https://aka.ms/azure-advisor-portal,High,,,0, -899e9dd8-d80c-ebc6-f394-f96ea31f2412,Security,Advisor,Guest Configuration extension should be installed on your machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -4e503939-77d5-0409-6950-deef2975d2cb,Security,Advisor,DUP- Enforce SSL connection should be enabled for MySQL database servers for 1 MySQL server(s),https://aka.ms/azure-advisor-portal,High,,,0, -c504a3e0-05b4-7457-e311-b9ddfa1f47bc,Security,WAF Assessment,Configure emergency access accounts,https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access,High,Operational Model & DevOps,Roles & Responsibilities,100,"While rare, sometimes extreme circumstances arise where all normal means of administrative access are unavailable and for this reason emergency access accounts (also refered to as 'break glass' accounts) should be available. These accounts are strictly controlled in accordance with best practice guidance, and they are closely monitored for unsanctioned use to ensure they are not compromised or used for nefarious purposes." -5b351848-762c-230d-5a1a-e82ecbe53661,Security,WAF Assessment,DUP- Implement threat protection for the workload,https://docs.microsoft.com/azure/security-center/azure-defender,High,Application Design,Threat Analysis,100,"Enterprise workloads are subjected to many threats that can jeopardize confidentiality, availability, or integrity and should be protected with advanced security solutions." -984245e2-5c9f-d27f-6110-ca7ff570324f,Security,WAF Assessment,Implement security strategy to contain attacker access,https://docs.microsoft.com/azure/architecture/framework/security/resilience#containing-attacker-access,High,Application Design,Application Design,90,"The actual security risk for an organization is heavily influenced by how much access an adversary can or does obtain to valuable systems and data. For example, when each user only has a focused scope of permissions assigned to them, the impact of compromising an account will be limited." -4d8f9896-7654-8f83-2fcc-46f33488c326,Security,WAF Assessment,DUP- Adopt a zero trust approach,https://docs.microsoft.com/azure/security/fundamentals/network-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#adopt-a-zero-trust-approach,High,Networking & Connectivity,Data flow,90,"Data exfiltration occurs when an internal/external malicious actor performs an unauthorized data transfer. The solution should leverage a layered approach such as hub/spoke for network communications with deep packet inspection to detect/protect from data exfiltration attack. Azure Firewall, UDR (User-defined Routes), NSG (Network Security Groups), Key Protection, Data Encryption, PrivateLink, and Private Endpoints are layered defenses for a data exfiltration attack. Azure Sentinel and Azure Security Center can be used to detect data exfiltration attempts and alert incident responders." -b0a5d047-0479-f8c2-07c2-a2ddf50f1ac3,Security,WAF Assessment,Implement a branch policy strategy to enhance DevOps security,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Deployment & Testing,Application Code Deployments,90,"Branch policies provide additional level of control over the code which is commited to the product. It is a common practice to not allow pushing against the main branch and require pull-request (PR) with code review before merging the changes by at least one reviewer, other than the change author. Different branches can have different purposes and access levels, for example: feature branches are created by developers and are open to push, integration branch requires PR and code-review and production branch requires additional approval from a senior developer before merging." -c56c9cc2-dd20-84a8-ef40-03ada098e171,Security,WAF Assessment,DUP- Classify your data at rest and use encryption,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-at-rest,High,Security & Compliance,Encryption,90,"This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk. All data should be classified and encrypted with an encryption standard. It should also be tagged so that it can be audited." -34a57a34-33d5-49b6-f1c1-fcc808f57074,Security,WAF Assessment,Establish a detection and response strategy for identity risks,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#review-identity-risks,High,Health Modeling & Monitoring,Application Level Monitoring,90,"Most security incidents take place after an attacker initially gains access using a stolen identity. These identities can often start with low privileges, but attackers then use that identity to traverse laterally and gain access to more privileged identities. This repeats as needed until the attacker controls access to the ultimate target data or systems. Reported risk events for Azure AD can be viewed in Azure AD reporting, or Azure AD Identity Protection. Additionally, the Identity Protection risk events API can be used to programmatically access identity related security detections using Microsoft Graph." -b10661c7-ad38-360d-7966-059579d5d707,Security,WAF Assessment,DUP- Adopt a formal DevSecOps approach to building and maintaining software,https://docs.microsoft.com/azure/architecture/framework/security/deploy,High,Operational Model & DevOps,General,90,"The DevOps approach increases the organization's ability to rapidly address security concerns without waiting for a longer planning and testing cycle of traditional waterfall model. Key attributes are: automation, close integration of infra and dev teams, testability and reliability and repeatability of deployments." -62776fee-9426-1ba4-c1d2-cbfb6e3073ad,Security,WAF Assessment,Scan container workloads for vulnerabilities,https://docs.microsoft.com/azure/security-center/container-security,High,Deployment & Testing,Testing & Validation,90,"Azure Security Center is the Azure-native solution for securing containers. Security Center can protect virtual machines that are running Docker, Azure Kubernetes Service clusters, Azure Container Registry registries. ASC is able to scan container images and identify security issues, or provide real-time threat detection for containerized environments." -0fd58006-093c-68a8-aa6a-bc5e059c3e3c,Security,WAF Assessment,DUP- Establish a security operations center (SOC),https://docs.microsoft.com/azure/architecture/framework/security/security-operations,High,Operational Procedures,Incident Response,90,"A SOC has a critical role in limiting the time and access an attacker can get to valuable systems and data. In addition, it provides the vital role of detecting the presence of adversaries, reacting to an alert of suspicious activity, or proactively hunting for anomalous events in the enterprise activity logs." -06ff582e-dba1-5ecc-d60a-7f64e82af41f,Security,WAF Assessment,Implement Conditional Access Policies,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#enable-conditional-access,High,Security & Compliance,Authentication and authorization,90,"Modern cloud-based applications are often accessible over the internet and location-based networking restrictions don't make much sense, but it needs to be mapped and understood what kind of restrictions are required. Multi-factor Authentication (MFA) is a necessity for remote access, IP-based filtering can be used to enable ad-hoc debugging, but VPNs are preferred." -8af8f817-935b-46a1-ad46-e8210d133a2c,Security,WAF Assessment,DUP- Implement established processes and timelines to deploy mitigations for identified threats,https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#3--mitigate-the-identified-threats,High,Application Design,Threat Analysis,90,Fixing identified vulnerabilities in a timely manner helps staying secure and preventing additional attack vectors. -eb943253-c904-4250-d046-79babc4ac389,Security,WAF Assessment,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it",https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Connectivity,90,Web applications typically have one public entrypoint and don't expose subsequent APIs and database servers over the internet. When using gateway services like Azure Front Door it's possible to restrict access only to a set of Front Door IP addresses and lock down the infrastructure completely. -3a94c9b0-3497-d4a9-7787-33c97f069392,Security,WAF Assessment,DUP- Protect all public endpoints with appropriate controls,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#web-application-firewalls-wafs,High,Networking & Connectivity,Endpoints,90,"External application endpoints should be protected against common attack vectors, such as Denial of Service (DoS) attacks like Slowloris, to prevent potential application downtime due to malicious intent. Azure-native technologies such as Azure Firewall, Application Gateway/Azure Front Door Web Application Firewall (WAF), and DDoS Protection Standard Plan can be used to achieve requisite protection." -8635e8cb-7996-3100-6172-a874c65cc306,Security,WAF Assessment,Ensure all Azure environments that connect to your production environment/network apply your organization's policy and IT governance controls for security,https://docs.microsoft.com/azure/architecture/framework/Security/governance#manage-connected-tenants,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Ensure the security organization is aware of all enrollments and associated subscriptions connected to the existing environment and is able to monitor those resources as part of the overall enterprise security posture. -055296c6-87d9-08e0-5039-6fd260203a35,Security,WAF Assessment,DUP- Configure quality gate approvals in DevOps release process,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Operational Model & DevOps,Roles & Responsibilities,70,"Pull Requests and code reviews serve as the first line of approvals during development cycle. Before releasing new code to production (new features, bugfixes etc.), security review and approval should be required." -ff211bd2-cae7-7b4d-3ab9-a4764022cf21,Security,WAF Assessment,Involve the security team in the development process,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/security-governance-and-compliance#service-enablement-framework,High,Operational Model & DevOps,Roles & Responsibilities,70,"There should be a process for onboarding service securely to Azure. The onboarding process should include reviewing the configuration options to determine what logging/monitoring needs to be established, how to properly harden a resource before it goes into production." -b2244fd7-6948-e7f7-45ed-77ea55f3879e,Security,WAF Assessment,DUP- Establish a process for key management and automatic key rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,"In the situation where a key or secret becomes compromised, it is important to be able to quickly act and generate new versions. Key rotation reduces the attack vectors and should be automated and executed without any human interactions." -aaef5e5f-16a5-4811-2831-1b3b84cd6879,Security,WAF Assessment,Integrate code scanning tools within CI/CD pipeline,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#credential-scanning,High,Deployment & Testing,Application Code Deployments,70,"Credentials should not be stored in source code or configuration files, because that increases the risk of exposure. Code analyzers (such as Roslyn analyzers for Visual Studio) can prevent from pushing credentials to source code repository and pipeline addons such as GitHub Advanced Security or CredScan (part of Microsoft Security Code Analysis) help to catch credentials during the build process." -598a45eb-2db5-dbb1-7569-a37063f2583d,Security,WAF Assessment,DUP- Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs,https://docs.microsoft.com/azure/architecture/framework/security/deploy-infrastructure#build-environments,High,Deployment & Testing,Build Environments,70,"When the organization uses their own build agents it adds management complexity and can become an attack vector. Build machine credentials must be stored securely and file system needs to be cleaned of any temporary build artifacts regularly. Network isolation can be achieved by only allowing outgoing traffic from the build agent, because it's using pull model of communication with Azure DevOps." -40a85139-acad-52e6-8594-d8dba5595980,Security,WAF Assessment,Establish a unified enterprise segmentation strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Networking & Connectivity,Connectivity,70,"A unified enterprise segmentation strategy will guide all technical teams to consistently segment access using networking, applications, identity, and any other access controls." -645a4305-5a8b-040f-c887-4129526383ce,Security,WAF Assessment,DUP- Use service endpoints and private links where appropriate,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints,High,Networking & Connectivity,Connectivity,70,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints only from authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios). Don't forget that Private Link is a paid service and has meters for inbound and outbound data processed. Private Endpoints are charged as well." -dac4a7a3-6b47-7719-e453-b4043976fdab,Security,WAF Assessment,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure,High,Operational Model & DevOps,Roles & Responsibilities,70,"Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious actor gaining access or an authorized user inadvertently impacting a sensitive resource. For example, Azure AD Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about." -a174f139-1612-70d3-687d-72e614ced801,Security,WAF Assessment,DUP- Conduct periodic access reviews for the workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#enforce-policy-compliance,High,Security & Compliance,Control-plane RBAC,70,"As people in the organization and on the project change, it is crucial to make sure that only the right people have access to the application infrastructure. Auditing and reviewing access reduces the attack vector to the application. Azure control plane depends on Azure AD and access reviews are often centrally performed often as part of internal or external audit activities. For the application specific access it is recommended to do the same at least twice a year." -a2831420-22da-ec7a-7f7f-49a6bccbc172,Security,WAF Assessment,Use only secure hash algorithms (SHA-2 family),https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-replace-insecure-protocols,High,Security & Compliance,Encryption,70,"Applications should use the SHA-2 family of hash algorithms (SHA-256, SHA-384, SHA-512)." -1aea58f6-cd71-c577-f330-7dd782297ec5,Security,WAF Assessment,DUP- Discover and remediate common risks to improve Secure Score in Azure Security Center,https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-remediate-common-risks,High,Security & Compliance,Security Center,70,"Identifying and remediating common security hygiene risks significantly reduces overall risk to the organization by increasing cost to attackers. Azure Secure Score in Azure Security Center monitors the security posture of machines, networks, storage and data services, and applications to discover potential security issues (internet connected VMs, or missing security updates, missing endpoint protection or encryption, deviations from baseline security configurations, missing Web Application Firewall (WAF), and more)." -972f72a6-c6fe-df6c-3cef-1bd160a66e91,Security,WAF Assessment,Protect workload publishing methods and restrict those not in use,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Endpoints,70,"Application resources allowing multiple methods to publish app content (e.g FTP, Web Deploy) should have the unused endpoints disabled. For Azure Web Apps SCM is the recommended endpoint and it can be protected separately with network restrictions for sensitive scenarios." -8b6359c1-35df-7fd4-f4a9-46714543a895,Security,WAF Assessment,DUP- Follow DevOps security guidance and automation for securing applications,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code,High,Operational Model & DevOps,General,70,"Organizations should leverage a control framework such as NIST, CIS or Azure Security Benchmarks (ASB) for securing applications on the cloud rather than starting from zero." -b869f5f8-8fcc-783e-06e0-fa6bafb3e05f,Security,WAF Assessment,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring",https://docs.microsoft.com/azure/architecture/framework/Security/governance#remove-virtual-machine-vm-direct-internet-connectivity,High,Networking & Connectivity,Endpoints,70,Attackers constantly scan public cloud IP ranges for open management ports and attempt 'easy' attacks like common passwords and known unpatched vulnerabilities. Limiting internet access from within an application server can prevent data exfiltration or stop the attacker from downloading additional tools. -bb0e9b7e-7972-3f2e-3f6b-c53b8d65fdeb,Security,WAF Assessment,DUP- Review and consider elevated security capabilities for Azure workloads,https://azure.microsoft.com/solutions/confidential-compute/,High,Governance,Standards,70,Careful consideration is necessary on whether to utilize specialized security capabilities in the workload architecture. These capabilities include dedicated Hardware Security Modules and Confidential Computing. -c78cc8a8-c3f2-66c9-b0eb-3cf4534e9ac1,Security,WAF Assessment,Clearly define CI/CD roles and permissions,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#minimize-access,High,Operational Model & DevOps,Roles & Responsibilities,70,Defining CI/CD permissions properly ensures that only users responsible for production releases are able to initiate the process and that only developers can access the source code. Azure DevOps offers pre-defined roles which can be assigned to individual users of groups. Using them properly can make sure that for example only users responsible for production releases are able to initiate the process and that only developers can access the source code. Variable groups often contain sensitive configuration information and can be protected as well. -09cc563f-bb55-a265-3e45-10be6f59b64f,Security,WAF Assessment,DUP- Automatically remove/obfuscate personally identifiable information (PII) for this workload,https://docs.microsoft.com/azure/search/cognitive-search-skill-pii-detection,High,Health Modeling & Monitoring,Application Level Monitoring,70,"Extra care should be taken around logging of sensitive application areas. PII (contact information, payment information etc.) should not be stored in any application logs and protective measures should be applied (such as obfuscation)." -223187c2-a57b-8480-03d9-429dacad11b0,Security,WAF Assessment,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team,https://docs.microsoft.com/azure/governance/policy/overview,High,Security & Compliance,Compliance,70,Azure Policy should be used to enforce and report a compliant configuration of Azure services. Azure policies can be used on multiple levels. It is recommended to apply organizational wide security controls on Azure platform level. These policies build the guardrails of a landing zone. -94dbbe03-fe8d-d651-1392-030824ddb73f,Security,WAF Assessment,DUP- Establish security benchmarking using Azure Security Benchmark to align with industry standards,https://docs.microsoft.com/azure/architecture/framework/Security/governance#evaluate-security-using-benchmarks,High,Application Design,Threat Analysis,70,"Benchmarking enables security program improvement by learning from external organizations. It lets the organization know how its current security state compares to that of other organizations. As an example, the Center for Internet Security (CIS) has created security benchmarks for Azure that map to the CIS Control Framework. Another reference example is the MITRE ATT&CK framework that defines the various adversary tactics and techniques based on real-world observations." -3b0ad10e-e219-8035-c1ec-9a7c9355b1e2,Security,WAF Assessment,Define security requirements for the workload,https://docs.microsoft.com/azure/governance/policy/concepts/azure-security-benchmark-baseline,High,Application Design,Threat Analysis,70,Azure resources should be blocked that do not meet the proper security requirements defined during service enablement. -26e13d6e-fecb-adc8-1f9d-06b5f0a4f439,Security,WAF Assessment,"DUP- Remove platform-specific information from HTTP headers, error messages, and web site content",https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#configuration-security,High,Application Design,Design,70,"Information revealing the application platform, such as HTTP banners containing framework information (""`X-Powered-By`"", ""`X-ASPNET-VERSION`""), are commonly used by malicious actors when mapping attack vectors of the application. HTTP headers, error messages, website footers etc. should not contain information about the application platform. Azure CDN or Cloudflare can be used to separate the hosting platform from end users, Azure API Management offers transformation policies that allow to modify HTTP headers and remove sensitive information." -99996faa-ff38-db08-e16d-2c88bccd1201,Security,WAF Assessment,Define an access model for keys and secrets,https://docs.microsoft.com/azure/key-vault/general/secure-your-key-vault,High,Operational Procedures,Configuration & Secrets Management,70,Permissions to keys and secrets have to be controlled with an access model. -d85111b8-29fb-3085-e43f-240b7d757889,Security,WAF Assessment,"DUP- Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks",https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-classification,High,Security & Compliance,Encryption,70,Encrypting the virtual disk files helps prevent attackers from gaining access to the contents of the disk files in the event an attacker is able to download the files and mount the disk files offline on a separate system. -e2a69150-9565-5d0f-4867-e54fd7ec14f7,Security,WAF Assessment,Deprecate legacy network security controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#discontinue-legacy-network-security-technology,High,Security & Compliance,Network Security,70,"Network-based Data Loss Prevention (DLP) is decreasingly effective at identifying both inadvertent and deliberate data loss. The reason for this is that most modern protocols and attackers use network-level encryption for inbound and outbound communications. While the organization can use 'SSL-bridging' to provide an 'authorized man-in-the-middle' that terminates and then reestablishes encrypted network connections, this can also introduce privacy, security and reliability challenges." -e50f8d39-61d6-e637-fc89-159fddfb2a52,Security,WAF Assessment,DUP- Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration,https://docs.microsoft.com/azure/architecture/framework/security/design-network-flow#data-exfiltration,High,Networking & Connectivity,Connectivity,70,NVA solutions and Azure Firewall (for supported protocols) can be leveraged as a reverse proxy to restrict access to only authorized PaaS services for services where Private Link is not yet supported. -f690c4c0-fad3-7fa1-4dda-7bc47bcd373d,Security,WAF Assessment,Use NSG or Azure Firewall to protect and control traffic within VNETs,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,High,Networking & Connectivity,Connectivity,70,"If NSGs are being used to isolate and protect the application, the rule set should be reviewed to confirm that required services are not unintentionally blocked." -020f395e-1c06-144b-931a-82163917db09,Security,WAF Assessment,DUP- Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/,High,Operational Procedures,Configuration & Secrets Management,70,Managed Identities in Azure can be used to securely access Azure services while removing the need to store the secrets or certificates of Service Principals. -803547b5-ad89-f2ed-4cec-0abeb3eed673,Security,WAF Assessment,Integrate network logs into a Security Information and Event Management (SIEM),https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#leverage-native-detections-and-controls,High,Security & Compliance,Network Security,70,"Integrating logs from the network devices, and even raw network traffic itself, will provide greater visibility into potential security threats flowing over the wire." -466b1e14-814c-52f0-ba05-ebbf35f880d4,Security,WAF Assessment,DUP- Data in transit should be encrypted at all points to ensure data integrity,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit,High,Security & Compliance,Encryption,70,"When data is being transferred between components, locations, or programs, it's in transit. Data in transit should be encrypted using a common encryption standard at all points to ensure data integrity. For example: web applications and APIs should use HTTPS/SSL for all communication with clients and also between each other (in micro-services architecture). Determine if all components in the solution are using a consistent standard. There are times when encryption is not possible due to technical limitations, but the reason needs to be clear and valid." -236df3d8-e45c-6f25-9716-7b4fd1a1ee17,Security,WAF Assessment,Establish an incident response plan and perform periodically a simulated execution,https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf,High,Operational Procedures,Incident Response,70,Actions executed during an incident and response investigation could impact application availability or performance. It is recommended to define these processes and align them with the responsible (and in most cases central) SecOps team. The impact of such an investigation on the application has to be analyzed. -d7b41176-e25a-514a-af09-26cc2ce0d3e4,Security,WAF Assessment,DUP- Use penetration testing and red team exercises to validate security defenses for this workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,High,Deployment & Testing,Testing & Validation,70,"Real world validation of security defenses is critical to validate a defense strategy and implementation. Penetration tests or red team programs can be used to simulate either one time, or persistent threats against an organization to validate defenses that have been put in place to protect organizational resources." -b68d2cb4-cb60-f1a2-e4cb-b67bc427af71,Security,WAF Assessment,Establish a designated group responsible for central network management,https://docs.microsoft.com/azure/architecture/framework/security/design-segmentation#functions-and-teams,High,Security & Compliance,Network Security,70,"Centralizing network management and security can reduce the potential for inconsistent strategies that create potential attacker exploitable security risks. Because all divisions of the IT and development organizations do not have the same level of network management and security knowledge and sophistication, organizations benefit from leveraging a centralized network team's expertise and tooling." -67f90604-50ad-66b3-bfb6-b13251d68935,Security,WAF Assessment,DUP- Build a security containment strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Security & Compliance,Network Security,70,Assume breach is the recommended cybersecurity mindset and the ability to contain an attacker is vital to protect information systems. -451878d2-5277-4920-2e18-395958386547,Security,WAF Assessment,Evolve security beyond network controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#evolve-security-beyond-network-controls,High,Security & Compliance,Network Security,70,Traditional network controls based on a 'trusted intranet' approach will not be able to effectively provide security assurances for cloud applications. -e214da59-c51a-09f8-3b0b-b474397feabc,Security,WAF Assessment,DUP- Periodically perform external and/or internal workload security audits,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#review-critical-access,High,Security & Compliance,Compliance,70,"Compliance is important for several reasons. Aside from signifying levels of standards, like ISO 27001 and others, noncompliance with regulatory guidelines may bring sanctions and penalties." -35c3e206-03cc-65ef-9925-30d888b882f9,Security,WAF Assessment,Develop a security plan,https://docs.microsoft.com/azure/cloud-adoption-framework/get-started/security#step-3-develop-a-security-plan,High,Application Design,Security Criteria & Data Classification,70,"A security plan should be part of the main planning documentation for the cloud. It should include several core elements including organizational functions, security skilling, technical security architecture and capabilities roadmap." -ce17c8f5-c50f-e83f-e7ad-2eee3076a6a9,Security,WAF Assessment,"DUP- Review, prioritize, and proactively apply security best practices to cloud resources",https://docs.microsoft.com/azure/architecture/framework/Security/governance#prioritize-security-best-practices-investments,High,Application Design,Security Criteria & Data Classification,70,Security best practices are ideally applied proactively and completely to all systems as the cloud workload is implemented. -4aa4c70f-6f97-65fc-04e2-88bc50ed1c20,Security,WAF Assessment,Establish lifecycle management policy for critical accounts,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#authorization-for-critical-accounts,High,Security & Compliance,Separation of duties,70,A compromise of an account in a role that is assigned privileges with a business-critical impact can be detrimental to organizational information systems and should therefore be closely monitored including a lifecycle process. -4038b9b1-ee3a-1af3-e409-c5e04daabfbf,Security,WAF Assessment,DUP- Designate the parties responsible for specific functions in Azure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-role-definitions,High,Operational Model & DevOps,Roles & Responsibilities,70,"Clearly documenting and sharing the contacts responsible for each of these functions will create consistency and facilitate communication. Examples of such contact groups include network security, network management, server endpoint security, incident response, policy management, identity." -44f274c7-b96e-2394-a3cf-171c7acd3130,Security,WAF Assessment,Implement a solution to configure unique local admin credentials,https://docs.microsoft.com/azure/automation/update-management/overview,High,Operational Procedures,Patch & Update Process (PNU),70,Attackers constantly scan public cloud IP ranges for open management ports and attempt 'easy' attacks like common passwords and unpatched vulnerabilities. -a7a24707-9203-2086-f82d-c2d62380e6ea,Security,WAF Assessment,DUP- Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage,High,Operational Procedures,Configuration & Secrets Management,70,"API keys, database connection strings and passwords are all sensitive to leakage, occasionally require rotation and are prone to expiration. Storing them in a secure store and not within the application code or configuration simplifies operational tasks like key rotation as well as improving overall security." -55a592ec-1dfe-a126-7ee9-1422e85ef9fd,Security,WAF Assessment,Mitigate DDoS attacks,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#mitigate-ddos-attacks,High,Networking & Connectivity,Endpoints,70,"DDoS attacks can be very debilitating and completely block access to your services or even take down the services, depending on the type of DDoS attack." -230873a2-8e40-b6f9-d41a-8f4db533dc54,Security,WAF Assessment,DUP- Standardize on modern authentication protocols,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection,High,Security & Compliance,Authentication and authorization,70,Modern authentication protocols support strong controls such as Multi-factor Authentication (MFA) and should be used instead of legacy. -a897d0e6-1e99-9277-163a-cee66c434a6a,Security,WAF Assessment,Implement lifecycle management process for SSL/TLS certificates,https://docs.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates,High,Operational Procedures,Configuration & Secrets Management,70,Expired SSL/TLS certificates are one of the most common yet avoidable causes of application outages; even Azure and more recently Microsoft Teams have experienced outages due to expired certificates. -e20147e8-629b-c1b2-ab13-d6ed3f4bba12,Security,WAF Assessment,DUP- Maintain a list of frameworks and libraries as part of the application inventory,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,60,"As part of the workload inventory the application team should maintain a framework and library list, along with versions in use. Understanding of the frameworks and libraries (custom, OSS, 3rd party, etc.) used by the application and the resulting vulnerabilities is important." -53efc28d-ef99-4d0f-dc4a-e383b5e3f88b,Security,WAF Assessment,Configure web apps to reuse authentication tokens securely and handle them like other credentials,https://docs.microsoft.com/azure/active-directory/develop/msal-acquire-cache-tokens,Medium,Security & Compliance,Authentication and authorization,60,"OAuth tokens are usually cached after they've been acquired. Application code should first try to get tokens silently from a cache before attempting to acquire a token from the identity provider, to optimize performance and maximize availability. Tokens should be stored securely and handled as any other credentials. When there's a need to share tokens across application servers (instead of each server acquiring and caching their own) encryption should be used." -7e82f7b6-7cac-48bc-e347-aa154a4c7bd6,Security,WAF Assessment,DUP- Ensure security team has Security Reader or equivalent to support all cloud resources in their purview,https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Medium,Security & Compliance,Control-plane RBAC,60,"Provide security teams read-only access to the security aspects of all technical resources in their purview. Security organizations require visibility into the technical environment to perform their duties of assessing and reporting on organizational risk. Without this visibility, security will have to rely on information provided from groups, operating the environment, who have a potential conflict of interest (and other priorities). Note that security teams may separately be granted additional privileges if they have operational responsibilities or a requirement to enforce compliance on Azure resources. For example in Azure, assign security teams to the Security Readers permission that provides access to measure security risk (without providing access to the data itself). Because security will have broad access to the environment (and visibility into potentially exploitable vulnerabilities), you should consider them critical impact accounts and apply the same protections as administrators." -21b26762-f90b-04da-0ece-4f98fe9e728a,Security,WAF Assessment,Implement security playbooks for incident response,https://docs.microsoft.com/azure/security-center/workflow-automation,Medium,Operational Procedures,Incident Response,60,Incident responders are part of a central SecOps team and need to understand security insights of an application. Playbooks can help to understand the security concepts and cover the typical investigation activities. These procedures can and should be automated as much as possible (while maintaining confidence and security). -9869d213-1d48-6265-6b85-662696986065,Security,WAF Assessment,DUP- Synchronize on-premises directory with Azure AD,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems,Medium,Security & Compliance,Authentication and authorization,60,Consistency of identities across cloud and on-premises will reduce human errors and resulting security risk. Teams managing resources in both environments need a consistent authoritative source to achieve security assurances. -f6c354e1-4411-a8aa-fb97-2a6a76c8e355,Security,WAF Assessment,Implement identity-based storage access controls,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#azure-encryption-features,Medium,Security & Compliance,Encryption,60,"Protecting data at rest is required to maintain confidentiality, integrity, and availability assurances across all workloads. Cloud service providers make multiple methods of access control available - shared keys, shared signatures, anonymous access, identity provider-based. Identity provider methods (such as AAD and RBAC) are the least liable to compromise and enable more fine-grained role-based access controls." -529ff108-f7d5-242d-117e-f0879c418d42,Security,WAF Assessment,"DUP- Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication",https://docs.microsoft.com/azure/architecture/framework/security/design-apps-considerations#use-azure-services-for-fundamental-components,Medium,Application Design,Design,60,"Developers should use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication instead of writing custom versions or third-party solutions that must be integrated into the cloud provider." -b0207ed1-8963-d551-3076-a972bee79f00,Security,WAF Assessment,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#rollback-and-roll-forward,Medium,Deployment & Testing,Application Code Deployments,60,N-1 and N+1 refer to roll-back and roll-forward. Automated deployment pipelines should allow for quick roll-forward and roll-back deployments to address critical bugs and code updates outside of the normal deployment lifecycle. -3d488720-5e7c-e74f-ab7d-8f35c3717a1f,Security,WAF Assessment,DUP- Leverage a cloud application security broker (CASB),https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security,Medium,Networking & Connectivity,Data flow,60,"CASBs provide rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all Microsoft and third-party cloud services." -bacc7993-068c-52ff-530c-0f1fcd790b5f,Security,WAF Assessment,Configure and collect network traffic logs,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#enable-network-visibility,Medium,Networking & Connectivity,Connectivity,60,NSG flow logs should be captured and analyzed to monitor performance and security. The NSG flow logs enables Traffic Analytics to gain insights into internal and external traffic flows of the application. -8bab539e-5d69-2631-e554-744982536292,Security,WAF Assessment,DUP- Identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,Medium,Application Design,Threat Analysis,60,"Enterprise organizations typically have a large application portfolio. Have key business applications been identified and classified? This should include applications that have a high business impact if affected. Examples would be business critical data, regulated data, or business critical availability. These applications also might include applications which have a high exposure to attack such as public facing websites key to organizational success." -d60b5c59-2f70-bfe3-967b-11407ccd4e5c,Security,WAF Assessment,Develop a security training program,https://www.microsoft.com/itshowcase/blog/how-microsoft-is-transforming-its-approach-to-security-training/,Medium,Operational Model & DevOps,Roles & Responsibilities,60,"Cybersecurity threats are always evolving and therefore those responsible for organizational information security require specialized, continual, and relevant training to ensure staff maintains the level of competency required to protect, detect, and respond." -39f99824-5553-412a-43e1-ecd5748822cd,Security,WAF Assessment,DUP- Regularly simulate attacks against critical accounts,https://docs.microsoft.com/azure/architecture/framework/Security/critical-impact-accounts#attack-simulation-for-critical-impact-accounts,Medium,Deployment & Testing,Testing & Validation,60,"People are a critical part of your defense, especially those with elevated permissions, so ensuring they have the knowledge and skills to avoid and resist attacks will reduce your overall organizational risk. Simulating attacks for educational purposes helps to enforce understanding of the various means that an attacker may use to compromise accounts. Tools such as Office 365 Attack Simulation or similar may be used." -c1472927-3cf6-baba-bd57-e2c912790de5,Security,WAF Assessment,Design virtual networks for growth,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,Medium,Security & Compliance,Network Security,60,"Most organizations end up adding more resources to networks than initially planned. When this happens, IP addressing and subnetting schemes need to be refactored to accommodate the extra resources. This is a labor-intensive process. There is limited security value in creating a very large number of small subnets and then trying to map network access controls (such as security groups) to each of them." -50c92e40-3771-210d-3a31-0096068c1e7a,Security,WAF Assessment,DUP- Use standard and recommended encryption algorithms,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#standard-encryption-algorithms,Medium,Security & Compliance,Encryption,60,"Organizations should rarely develop and maintain their own encryption algorithms. Secure standards already exist on the market and should be preferred. AES should be used as symmetric block cipher, AES-128, AES-192 and AES-256 are acceptable. Crypto APIs built into operating systems should be used where possible, instead of non-platform crypto libraries. For .NET make sure you follow the .NET Cryptography Model." -37af0491-38f9-3668-f108-e88d1ab3996d,Security,WAF Assessment,Assign permissions based on management or resource groups,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#resource-based-authorization,Medium,Security & Compliance,Control-plane RBAC,60,"Custom resource-based permissions are often not needed and can result in increased complexity and confusion as they do not carry the intention to new similar resources. This then accumulates into a complex legacy configuration that is difficult to maintain or change without fear of ""breaking something"" - negatively impacting both security and solution agility. Higher level permissions sets - based on resource groups or management groups - are usually more efficient." -b15e70d8-6c03-30b6-e0a5-db464c830cd2,Security,WAF Assessment,"DUP- Add planning, testing, and validation rigor to the use of the root management group",https://docs.microsoft.com/azure/architecture/framework/security/design-management-groups#use-root-management-group-with-caution,Medium,Security & Compliance,Control-plane RBAC,60,"The root management group ensures consistency across the enterprise by applying policies, permissions, and tags across all subscriptions. This group can affect all resources in Azure and incorrect use can impact the security of all workloads in Azure." -31d467e9-b0e2-038a-7db8-74bc9a4d55c7,Security,WAF Assessment,Use managed identity providers to authenticate to this workload,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,Medium,Security & Compliance,Authentication and authorization,50,"If possible, applications should utilize Azure Active Directory or other managed identity providers (such as Microsoft Account, Azure B2C...) to avoid managing user credentials with custom implementation. Modern protocols like OAuth 2.0 use token-based authentication with limited timespan, identity providers offer additional functionality like multi-factor authentication, password reset etc." -f8507020-2e5e-b559-94c3-9470d4f647ed,Security,WAF Assessment,DUP- Enforce password-less or Multi-factor Authentication (MFA),https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-passwordless-authentication,Medium,Security & Compliance,Authentication and authorization,50,Attack methods have evolved to the point where passwords alone cannot reliably protect an account. Modern authentication solutions including password-less and multi-factor authentication increase security posture through strong authentication. -dc5f96ff-fa47-3b1d-bffe-d39eff2ea693,Security,WAF Assessment,Identify technologies and frameworks used by the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Application Composition,50,All technologies and frameworks should be identified. Vulnerabilities of these dependencies must be understood (there are automated solutions on the market that can help: OWASP Dependency-Check or NPM audit). -8bcb252e-e184-1a5e-df05-7a1016710333,Security,WAF Assessment,DUP- Continuously assess and monitor compliance,https://docs.microsoft.com/azure/security-center/security-center-compliance-dashboard#assess-your-regulatory-compliance,Medium,Security & Compliance,Compliance,50,Continuously monitoring and assessing the workload increases the overall security and compliance of your workload in Azure. For example Azure Security Center provides a regulatory compliance dashboard. -fe155eaf-5314-5bb3-7117-e217baf94f1d,Security,WAF Assessment,Use identity services instead of cryptographic keys when available,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#identity-based-access-control,Medium,Security & Compliance,Authentication and authorization,50,"Consideration should always be given to authenticating with identity services rather than cryptographic keys when available. Managing keys securely with application code is difficult and regularly leads to mistakes like accidentally publishing sensitive access keys to code repositories like GitHub. Identity systems (such as Azure Active Directory) offer secure and usable experience for access control with built-in sophisticated mechanisms for key rotation, monitoring for anomalies, and more." -ea5b15e4-51a3-ee6c-20ad-53037e1689ea,Security,WAF Assessment,DUP- Establish a designated point of contact to receive Azure incident notifications from Microsoft,https://docs.microsoft.com/azure/architecture/framework/Security/governance#assign-incident-notification-contact,Medium,Security & Compliance,Separation of duties,50,"Security alerts need to reach the right people in your organization. It is important to ensure a security contact receives Azure incident notifications, or alerts from Microsoft / Azure Security Center, such as a notification that your resource is compromised and/or attacking another customer." -9e181cd5-c0b3-a44e-4c07-4157ced168af,Security,WAF Assessment,Restrict application infrastructure access to CI/CD only,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#application-deployment,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,"It is recommended to implement Infrastructure as Code, and to deploy application infrastructure via automation and CI/CD for consistency and auditability - the Portal should not be used by humans to deploy production workloads. To maximize application autonomy and agility, Portal or ad-hoc access can be permitted to less-critical development and test environments." -6f0e0aaf-5d8e-c1a6-2239-4ce74db581f9,Security,WAF Assessment,DUP- Make sure you understand the security features/capabilities available for each service and how they can be used in the solution,https://docs.microsoft.com/azure/architecture/framework/security/design-apps-services,Medium,Application Design,Application Composition,50,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the workload to host both application code and data. Selection should be made with security in mind." -3e0c4abf-6a49-580a-7aaf-feb67d2b2e4b,Security,WAF Assessment,Update frameworks and libraries as part of the application lifecycle,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,50,"Application frameworks are frequently provided with updates (e.g. security), released by the vendor or communities. Critical and important security patches need to be prioritized." -344a9b60-6836-f7bb-b3c1-ee0b485e6d2d,Security,WAF Assessment,DUP- Establish a SecOps team and monitor security related events,https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#incident-response,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Organization is monitoring the security posture across workloads and central SecOps team is monitoring security-related telemetry data and investigating security breaches. -ea6217a1-b872-d37b-40d4-c67cbe1898e3,Security,WAF Assessment,Establish process and tools to manage privileged access with just-in-time capabilities,https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#lower-exposure-of-privileged-accounts,Medium,Security & Compliance,Separation of duties,50,Zero-trust principle comes with the requirement of no standing access to an environment. Native and 3rd party solution can be used to elevate access permissions for at least highly privileged if not all activities. Azure AD Privileged Identity Management (Azure AD PIM) is the recommended and Azure native solution. -4459f091-da59-7898-19ee-ecb28a54f7df,Security,WAF Assessment,"DUP- Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload",https://docs.microsoft.com/azure/security/fundamentals/encryption-models,Medium,Operational Procedures,Configuration & Secrets Management,50,"Different approaches can be used by the workload team. Decisions are often driven by security, compliance and specific data classification requirements. Understanding these requirements is important to determine which key types are best suitable (MMK - Microsoft-managed Keys, CMK - Customer-managed Keys or BYOK - Bring Your Own Key)." -a8f29745-34e4-bc9f-d2f8-607664cb5ac1,Security,WAF Assessment,Implement role-based access control for application infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#roles-and-permission-assignment,Medium,Security & Compliance,Separation of duties,50,"Application roles and responsibility model need to be defined covering the different access level of each operational function (e.g publish production release, access customer data, manipulate database records). It's in the interest of the application team to include central functions (e.g. SecOps, NetOps, IAM) into this view." -eef69d34-2c58-e271-0533-d8fbf87e4a94,Security,WAF Assessment,DUP- Limit long-standing write access to production environments only to service principals,https://docs.microsoft.com/azure/architecture/framework/security/design-admins#no-standing-access--just-in-time-privileges,Medium,Operational Model & DevOps,Roles & Responsibilities,50,"Regular, long-standing write access to production environments by user accounts can pose a security risk and manual intervention is often prone to errors." -1fcc4e34-2d0a-ccf3-3c6d-99e07df905e7,Security,WAF Assessment,Implement resource locks to protect critical infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#management-locks,Medium,Security & Compliance,Control-plane RBAC,40,"Critical infrastructure typically doesn't change often. To prevent accidental/undesired modification of resources, Azure offers the locking functionality where only specific roles and users with permissions are able to delete/modify resources. Locks can be used on critical parts of the infrastructure, but special care needs to be taken in the DevOps process - modification locks can sometimes block automation." -27d45555-7231-9ec3-837d-a9a74d55f74d,Security,WAF Assessment,DUP- Implement defenses that detect and prevent commodity attacks,https://docs.microsoft.com/azure/architecture/framework/security/resilience#increasing-attacker-cost,Low,Application Design,Security Criteria & Data Classification,30,Cybersecurity attacks are planned and conducted by human attackers that must manage their return on investment into attacks (return could include profit or achieving an assigned objective). -4cb472db-e41c-3672-4e34-733d9f5c5963,Security,WAF Assessment,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -debde980-76ba-4cb3-9958-18b2bd03043d,Security,WAF Assessment,"DUP- Define a process for aligning communication, investigation and hunting activities with the application team",https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Low,Health Modeling & Monitoring,Application Level Monitoring,30,Development team needs to be aware of those activities to align their security improvement activities with the outcome of those activities. -5dd253e4-c459-afd8-8400-a6288bd2349c,Security,WAF Assessment,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#internet-edge-traffic,Low,Networking & Connectivity,Endpoints,30,"CDNs store static files in locations that are typically geographically closer to the user than the data center. This increases overall application performance as latency for delivery and downloading these artifacts is reduced. Also, from a security point of view, CDNs can be used to separate the hosting platform from end users. Azure CDN contains a rule engine to remove platform-specific information and headers. The use of Azure CDN or 3rd party CDN will have different cost implications depending on what is chosen for the workload." -516b3380-e22f-7b52-bcfd-55a2e8955dbb,Cost Optimization,WAF Assessment,DUP- Right-size or shutdown underutilized virtual machines for 1 Virtual machine(s),https://aka.ms/azure-advisor-portal,High,,,0, -8585b27d-b453-1fcc-e859-3f83ad5751e6,Cost Optimization,WAF Assessment,Shut down VM instances not in use,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#shut-down-the-under-utilized-instances,High,Capacity & Service Availability Planning,Efficiency,70, -6993dcf5-3945-1e6a-53ce-f3e698eb7cfd,Cost Optimization,WAF Assessment,DUP- Consider reserved instances,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#reserved-vms,High,Application Design,Design,70, -411f62bf-6b05-db04-8592-dfa5360dfeb1,Cost Optimization,WAF Assessment,Consider VM Zone to Zone DR,https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery,High,Application Design,Design,70, -80bf0182-7b3e-8f4d-ed89-b48a7a0882d1,Cost Optimization,WAF Assessment,DUP- Organize data into access tiers,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/storage-options,High,Application Design,Application Composition,70, -9e64509c-3fd1-0038-fabd-a3a837c03eca,Cost Optimization,WAF Assessment,Set up a disaster recovery strategy that splits the application components and data into defined groups,https://azure.microsoft.com/en-us/solutions/backup-and-disaster-recovery/,High,Application Design,Design,70, -958b7d87-58bd-d2f3-3b3b-e3cbf0ea6b15,Cost Optimization,WAF Assessment,DUP- Mitigate DDoS attacks,https://azure.microsoft.com/services/ddos-protection/,High,Networking & Connectivity,Endpoints,70,Use Azure DDoS Protection Standard for critical workloads where outage would have business impact. Also consider CDN as another layer of protection. -1e41e4e8-4934-4f9d-0a9c-b3fdf18ed85b,Cost Optimization,WAF Assessment,Understand the Azure services used and cost implications,https://docs.microsoft.com/azure/architecture/framework/cost/design-initial-estimate,Medium,Application Design,Application Composition,50,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the application platform to host both application code and data. In a discussion around cost, this can drive decisions towards the right replacements (e.g. moving from Virtual Machines to containers to increase efficiency, or migrating to .NET Core to use cheaper SKUs etc.)." -220905f9-4ad9-3e08-c9a7-534d2f253825,Cost Optimization,WAF Assessment,DUP- Understand the operational capabilities of Azure services,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Medium,Application Design,Application Composition,50,"Operational capabilities, such as auto-scale and auto-heal for App Services, can reduce management overheads, support operational effectiveness and reduce cost." -0c53c6f4-57aa-6083-d098-95a6ef171490,Cost Optimization,WAF Assessment,Learn if there are any discounts available for the services already in use,https://azure.microsoft.com/en-us/pricing/,Medium,Governance,Licensing,50,When alternative cost options are considered it should be understood first if any special offers or deals are given for the existing SKUs to verify that the correct prices are being used to build a business case. -7f57dc8b-3cd4-6226-5c94-2591914fa4db,Cost Optimization,WAF Assessment,DUP- Leverage the hybrid use benefit,https://azure.microsoft.com/en-us/pricing/hybrid-benefit/,Medium,Governance,Licensing,50,Understanding your current spending on licenses can help you drive down cost in the cloud. A-HUB allows you to reuse licenses that you purchased for on-premises in Azure and via this drive down the cost as the license is already paid. -3fa890e4-c382-6c94-30b5-a4a79560e3bd,Cost Optimization,WAF Assessment,Assign a budget and spend limit to the workload,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert,Medium,Governance,Financial Management & Cost Models,50,For cost management it is recommended to have a budget even for the smallest services operated as that allows to track and understand the flow of the spend and also understand the impact of a smaller service in a bigger picture. -48b3746d-1a75-ca24-b5e2-94755c105ad4,Cost Optimization,WAF Assessment,DUP- Establish a cost owner for each service used by the workload,https://azure.microsoft.com/en-us/blog/how-to-optimize-your-azure-workload-costs-2/,Medium,Governance,Financial Management & Cost Models,50,Every service should have a cost owner that is tracking and is responsible for cost. This drives responsibility and awareness on who owns the cost tracking. -bec48ef8-2045-d918-f097-5c3030f8fdd2,Cost Optimization,WAF Assessment,Use cost forecasting for budget alignment,https://docs.microsoft.com/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal,Medium,Governance,Financial Management & Cost Models,50,In order to predict costs and trends it's recommended to use forecasting to be proactive for any spending that might be going up due to higher demand than anticipated. -dcfd400a-a7e9-0ffa-b524-07cefae672df,Cost Optimization,WAF Assessment,DUP- Consider multi-tenant or microservices scenarios when running multiple applications,https://azure.microsoft.com/en-us/solutions/microservice-applications/,Medium,Capacity & Service Availability Planning,Efficiency,50,"When running multiple applications (typically in multi-tenant or microservices scenarios) density can be increased by deploying them on shared infrastructure and utilizing it more. For example: Containerization and moving to Kubernetes (Azure Kubernetes Services) enables pod-based deployment which can utilize underlying nodes efficiently. Similar approach can be taken with App Service Plans. To prevent the 'noisy neighbour' situation, proper monitoring must be in place and performance analysis must be done (if possible)." -3f302a25-9620-ba9e-d869-88eae359f730,Cost Optimization,WAF Assessment,Understand how the budget is defined,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#revise-budgets,Medium,Governance,Culture & Dynamics,50,"It is important to have a clear understanding how an IT budget is defined. This is especially true for applications that are not built in-house, where IT budget has to be factored in as part of the delivery." -980897a0-ec50-cdb7-d390-e3132af0ef55,Cost Optimization,WAF Assessment,DUP- Have ongoing conversation between app owner and business,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reviews,Medium,Governance,Culture & Dynamics,50,Is what's delivered from IT and what the business is expecting from IT mapped to the cost of the application? -dd0885c8-71f5-2e6e-1816-f1f3593c72f4,Cost Optimization,WAF Assessment,Develop a plan to modernize the workload,https://docs.microsoft.com/dotnet/architecture/serverless/,Medium,Application Design,Design,50,"Is there a plan to change the execution model to Serverless? To move as far as you can up the stack towards cloud-native. When the workload is serverless, it's charged only for actual use, whereas whith traditional infrastructure there are many underlying things that need to be factored into the price. By applying an end date to the application it encourages you to discuss the goal of re-designing the application to make even better use of the cloud. It might be more expensive from an Azure cost point of view but factoring in other things like licenses, people, time to deploy can drive down cost." -f8588737-a597-44e9-5839-1206700a3115,Cost Optimization,WAF Assessment,DUP- Use RBAC to contol access to dashboards and data,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs#provide-the-right-level-of-cost-access,Medium,Health Modeling & Monitoring,Dashboarding,50,"Are the dashboards openly available in your organization or do you limit access based on roles etc.? For example: developers usually don't need to know the overall cost of Azure for the company, but it might be good for them to be able to watch a particular workload." -b8a662dc-4bf0-6b22-7d25-2fa6cdb4fe06,Cost Optimization,WAF Assessment,Set up alerts for cost limits and thresholds,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#respond-to-alerts,Medium,Health Modeling & Monitoring,Alerting,50,"This is to ensure that if any budget is close to threshold, the cost owner gets notified to take appropriate actions on the change." -3566dbbc-7873-65c6-3c1a-678419dd70f7,Cost Optimization,WAF Assessment,DUP- Collect logs and metrics from Azure resources,https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-logs,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,In order to successfully maintain the application it's important to 'turn the lights on' and have clear visibility of important metrics both in real-time and historically. -04d1cfcd-5eaa-a6f3-728b-34ed9b7bdd5b,Cost Optimization,WAF Assessment,Use ACM or other cost management tools,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports,Medium,Health Modeling & Monitoring,Dashboarding,50,"In order to track spending an ACM tool can help with understanding how much is spent, where and when. This helps to make better decisions about how and if cost can be reduced." -e585f168-7a45-f829-554a-df56c6556b77,Cost Optimization,WAF Assessment,DUP- Utilize the PaaS pay-as-you-go consumption model where relevant,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Operational Procedures,Operational Lifecycles,50,"To bring down cost the goal should be to get as many applications to only consume resources when they are used, this goes as an evolution from IaaS to PaaS to serverless where you only pay when a service I triggered. The PaaS and serverless might appear more expensive, but risk and other operational work is transferred to the cloud provider which should also be factored in as part of the cost (e.g. patching, monitoring, licenses)." -e84756ed-1730-51e6-0a52-c5b65cfdde63,Cost Optimization,WAF Assessment,Separate data and log disks,https://docs.microsoft.com/azure/virtual-machines/disks-enable-ultra-ssd,Medium,Application Design,Design,50, -729abfe9-3fc9-26c6-ec58-d1fb8de0e374,Cost Optimization,WAF Assessment,DUP- Define end-date for each environment,https://azure.microsoft.com/en-us/services/cost-management/,Medium,Operational Procedures,Operational Lifecycles,50,If your workload or environment isn't needed then you should be able to decommission it. The same should occur if you are introducing a new service or new feature. -7f6bb875-a820-6cb4-85de-af47a0a85d66,Cost Optimization,WAF Assessment,Define critical system flows,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-critical-system-flows,Medium,Application Design,Key Scenarios,50,"Understanding critical system flows is vital to assessing overall operational effectiveness, and should be used to inform a health model for the application. It can also tell if areas of the application are over or under-utilized and should be adjusted to better meet business needs and cost goals." -b70f63dc-9892-9e16-158b-a182e0d555c2,Cost Optimization,WAF Assessment,DUP- Map application dependencies,https://docs.microsoft.com/azure/azure-monitor/app/app-map?tabs=net,Medium,Application Design,Dependencies,50,"Examples of typical dependencies include platform dependencies outside the remit of the application, such as Azure Active Directory, Express Route, or a central NVA (Network Virtual Appliance), as well as application dependencies such as APIs which may be in-house or externally owned by a third-party. For cost it's important to understand the price for these services and how they are being charged, this makes it easier to understanding an all-up cost. For more details see cost models." -b1c29d10-1d03-4079-afdc-a138905bd1e8,Cost Optimization,WAF Assessment,Understand cloud-native features and implement where possible,https://azure.microsoft.com/en-us/overview/cloudnative/,Medium,Application Design,Design,50,Understanding if the application is cloud-native or not provides a very useful high-level indication about potential technical debt for operability and cost efficiency. -370f5baa-0c12-9a77-b722-2773622c0b7f,Cost Optimization,WAF Assessment,DUP- Consider utilizing disk bursting,https://docs.microsoft.com/azure/virtual-machines/disk-bursting,Medium,Capacity & Service Availability Planning,Efficiency,50, -70740aa9-9396-f25b-73c5-1696ea0e42e4,Cost Optimization,WAF Assessment,Use Azure Advisor,https://docs.microsoft.com/azure/advisor/advisor-cost-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Azure Advisor helps to optimize and improve efficiency of the workload by identifying idle and under-utilized resources. It analyzes your configurations and usage telemetry and consolidates it into personalized, actionable recommendations to help you optimize your resources." -fb4e7ec6-1c31-4647-35cf-f9088fa95dbc,Cost Optimization,WAF Assessment,DUP- Review Azure Advisor recommendations periodically,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports#advisor-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Your underutilised resources need to be reviewed often in order to be identified and dealt with accordingly, in addition to ensuring that your actionable recommendations are up-to-date and fully optimized. For example, Azure Advisor monitors your virtual machine (VM) usage for 7 days and then identifies low-utilization VMs." -5cbd7134-0018-15d4-fd4c-9670f13bdbca,Cost Optimization,WAF Assessment,Use developer SKUs for dev/test purposes,https://azure.microsoft.com/en-us/pricing/dev-test/,Medium,Deployment & Testing,Testing & Validation,50,"Special SKUs and subscription offers for development and testing purposes can save costs, but have to be used properly. Dev SKUs are not meant for production deployments." -ac7383b1-8e37-9eea-d1e2-9482692ecc93,Cost Optimization,WAF Assessment,DUP- The entire end-to-end CI/CD deployment process should be understood,https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/,Medium,Deployment & Testing,Application Code Deployments,50, -88d0ca92-85a0-31ed-21d6-4d67f23eba5c,Cost Optimization,WAF Assessment,Select the right operating system,https://docs.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree,Medium,Capacity & Service Availability Planning,Efficiency,50,"Analyze the technology stack and identify which workloads are capable of running on Linux and which require Windows. Linux-based VMs and App Services are significantly cheaper, but require the app to run on supported stack (.NET Core, Node.js etc.)." -e24109c5-feef-3d6d-18fe-af669ae4159f,Cost Optimization,WAF Assessment,DUP- Understand the cost implications of Availability Zones,https://azure.microsoft.com/en-us/global-infrastructure/availability-zones/,Medium,Application Design,Design,50,"[Availability Zones](https://docs.microsoft.com/azure/availability-zones/az-overview#availability-zones) can be used to optimize application availability within a region by providing datacenter level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. It is also important to note that Availability Zones may introduce performance and cost considerations for applications which are extremely 'chatty' across zones given the implied physical separation between each zone and inter-zone bandwidth charges. That also means that AZ can be considered to get higher Service Level Agreement (SLA) for lower cost. Be aware of [pricing changes](https://azure.microsoft.com/pricing/details/bandwidth/) coming to Availability Zone bandwidth starting February 2021." -aba2d1d3-7f2d-b3e6-7560-917827cfa1c4,Cost Optimization,WAF Assessment,Consider using Service Endpoints and Private Link,https://docs.microsoft.com/azure/private-link/private-endpoint-overview,Medium,Security & Compliance,Network Security,50,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints from only authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios)." -fe276258-5948-d7a5-7ce4-812457c04cf3,Cost Optimization,WAF Assessment,DUP- Be aware of cross-region data transfer costs,https://docs.microsoft.com/azure/architecture/framework/cost/provision-networking#peering,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -fb89ccb9-df0b-baf6-28fb-fb7a0d33b4bf,Cost Optimization,WAF Assessment,Use cost modeling to identify opportunities for cost reduction,https://docs.microsoft.com/azure/architecture/framework/cost/design-model,Medium,Governance,Financial Management & Cost Models,50,"Estimate and track costs, educate the employees about the cloud and various pricing models, have appropriate governance about expenditure." -62deac4b-816d-7d57-f8eb-797cf859215d,Cost Optimization,WAF Assessment,DUP- Be aware of cost implications of Web Application Firewall,https://azure.microsoft.com/pricing/details/web-application-firewall/,Medium,Networking & Connectivity,Endpoints,50,"There are cost implications to using Front Door with Web Application Firewall enabled, but it can save costs compared to using a 3rd party solution. Front Door has a good latency, because it uses unicast. If only 1 or 2 regions are required, Application Gateway can be used. There are cost implications of having a WAF - you should check pricing of hours and GB/s." -7f1ec214-ba78-8460-a306-8dee75ac62a1,Cost Optimization,WAF Assessment,Consider reserved capacity for Storage,https://docs.microsoft.com/azure/storage/blobs/storage-blob-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50, -984788bc-681e-3961-d04e-11bf70de16c3,Cost Optimization,WAF Assessment,DUP- Use data lifecycle policy,https://docs.microsoft.com/azure/storage/blobs/storage-lifecycle-management-concepts,Medium,Health Modelling & Monitoring,Resource and Infrastructure Level Monitoring,50, -c5a8e1a1-e118-aa4d-2b61-e0299933c7f3,Cost Optimization,WAF Assessment,Consider using shared disks for suitable workloads,https://docs.microsoft.com/azure/virtual-machines/disks-shared,Medium,Capacity & Service Availability Planning,Efficiency,50, -d07fcd1b-f98d-5408-96fd-a47e24c2a989,Cost Optimization,WAF Assessment,DUP- Consider using reserved Premium disks,https://docs.microsoft.com/azure/virtual-machines/disks-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50, -27b3b1b3-b575-a0fb-9d94-daa245fd09d7,Cost Optimization,WAF Assessment,Use App Service Premium (v3) plan where possible,https://docs.microsoft.com/azure/app-service/app-service-configure-premium-tier,Medium,Application Design,Application Composition,50, -44dc812f-551d-1efd-b37b-4c2ac0149de6,Cost Optimization,WAF Assessment,DUP- Consider the cost of data transfers and make sure cross-region peering is used efficiently,https://azure.microsoft.com/en-us/pricing/details/bandwidth/,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -d82323c0-865b-32c0-f254-c687a5290b92,Cost Optimization,WAF Assessment,Configure auto-scale policies for your workload (both in and out),https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,Medium,Application Design,Application Composition,50,Deliberate selection of resources and sizing is important to maintain efficiency and optimal cost. -2ab9009a-a1a8-3fb8-3d14-266e384b1f63,Cost Optimization,WAF Assessment,DUP- Prefer Microsoft backbone for networking,https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/,Medium,Networking & Connectivity,Connectivity,50,Are you closer to your users or on-prem? If users are closer to the cloud you should use MSFT (i.e. egress traffic). MPLS is when another service provider gives you the line. -5486ecaf-3ab6-be58-1715-ecd1ddedb577,Cost Optimization,WAF Assessment,Define a clear price model for individual services,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Capacity & Service Availability Planning,Efficiency,50,As part of driving a good behavior it's important that the consumer has understood why they are paying the price for a service and also that the cost is transparent and fair to the user of the service or else it can drive wrong behavior. -61b0cf0d-2897-77bf-9264-45b0d04e2beb,Cost Optimization,WAF Assessment,DUP- Define a naming convention,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -6bb38dcd-8a3e-3730-047b-e8e3885ba812,Cost Optimization,WAF Assessment,Consider spot VMs,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#spot-vms,Low,Capacity & Service Availability Planning,Efficiency,30, -7eec1901-7e10-1be6-d18f-3aafc17d1927,Cost Optimization,WAF Assessment,DUP- Pause AKS clusters,https://docs.microsoft.com/azure/aks/start-stop-cluster,Low,Capacity & Service Availability Planning,Efficiency,30, -bf8e2eed-d691-a1f7-3d59-ab60b5f37e82,Cost Optimization,WAF Assessment,Consider B-series VMs,https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable,Low,Capacity & Service Availability Planning,Efficiency,30, -210ea96e-0665-29d2-10c6-18670eb9ec41,Cost Optimization,WAF Assessment,DUP- Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,Low,Governance,Standards,30,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -c1462d3f-6cdb-ba77-f741-00777c80d94e,Cost Optimization,WAF Assessment,Look for Public IPs and orphaned NICs,https://docs.microsoft.com/azure/virtual-machines/linux/find-unattached-nics,Low,Health Modelling & Monitoring,Resource and Infrastructure Level Monitoring,30, -921c2754-a600-c61e-ad1f-818613fed7d2,Operational Excellence,WAF Assessment,DUP- Use a log aggregation technology,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#collecting-and-storing-data,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,"Log aggregation technologies, such as Azure Log Analytics or Splunk, should be used to collate logs and metrics across all application components for subsequent evaluation. Resources may include Azure IaaS and PaaS services as well as 3rd-party appliances such as firewalls or anti-malware solutions used in the application. For instance, if Azure Event Hub is used, the [Diagnostic Settings](https://docs.microsoft.com/azure/event-hubs/event-hubs-diagnostic-logs) should be configured to push logs and metrics to the data sink. Understanding usage helps with right-sizing of the workload, but additional cost for logging needs to be accepted and included in the cost model." -b9166739-4e9e-a7a0-2db3-b25833e811fb,Operational Excellence,WAF Assessment,Define a process for alert reaction,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-owners,Medium,Health Modeling & Monitoring,Alerting,50,"Instead of treating all alerts the same, there should be a well-defined process which determines what teams are responsible to react to which alert type." -aa643090-6e1c-e91f-14e8-6167a5bcceee,Operational Excellence,WAF Assessment,DUP- Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#key-points,Medium,Operational Procedures,Configuration & Secrets Management,50,Application configuration information can be stored together with the application itself or preferably using a dedicated configuration management system like Azure App Configuration or Azure Key Vault. -011a08f0-5fd1-1c5c-a4a2-fe5f17736ecc,Performance Efficiency,WAF Assessment,Identify sensible non-functional requirements,https://docs.microsoft.com/azure/architecture/performance/#general-best-practices,Medium,Application Design,Targets & Non-Functional Requirements,50,"Non-functional performance requirements, such as those relating to end-user experiences (e.g. average and maximum response times) are vital to assessing the overall health of an application, and is a critical lens required for assessing operations." -20906267-6633-1dcd-7638-e2b622bb9649,Performance Efficiency,WAF Assessment,DUP- Monitor how long it takes to scale against your targets,https://docs.microsoft.com,Medium,Application Performance Management,Elasticity,50,"Time to scale-in and scale-out can vary between Azure services and instance sizes and should be assessed to determine if a certain amount of pre-scaling is required to handle scale requirements and expected traffic patterns, such as seasonal load variations." -90d3c007-aeeb-415c-b28b-f0c405f28cd8,Performance Efficiency,WAF Assessment,Leverage autoscaling to scale in and out as load varies,https://docs.microsoft.com/azure/architecture/best-practices/auto-scaling,Medium,Application Performance Management,Elasticity,50,Autoscaling can be leveraged to address unanticipated peak loads to help prevent application outages caused by overloading. -87d5e119-7d35-5e74-82fd-87ef83de429f,Performance Efficiency,WAF Assessment,DUP- Build a capacity model for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,"A capacity model should describe the relationships between the utilization of various components as a ratio, to capture when and how application components should scale-out." ------------,,,,,,,,, -,,,,,,,,, -167ff4ef-cc54-624e-1e31-bc180da9f803,Security,Advisor,Have you done a threat analysis of your workload?,"Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.","Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.",,,, -3d04e335-68bb-afed-4aa1-b7d13488f5e9,Security,Advisor,DUP- Have you done a threat analysis of your workload?,"There's a process to track, triage and address security threats in the application development cycle.","There's a process to track, triage and address security threats in the application development cycle.",,,, -051ac425-ef83-c5e1-bce9-b47d31a67d02,Security,Advisor,Have you done a threat analysis of your workload?,Timelines and processess are established to deploy mitigations (security fixes) for identified threats.,,,,, -91dfc75e-4b71-389d-7ba6-0dd867eb52c7,Security,Advisor,DUP- Have you done a threat analysis of your workload?,Security requirements are defined for this workload.,,,,, -2c1f0312-4b4d-80be-b689-a2a20348de00,Security,Advisor,Have you done a threat analysis of your workload?,Threat protection was addressed for this workload.,,,,, -ee2f750b-fdcf-0dda-0f83-f455f12bbe94,Security,Advisor,DUP- Have you done a threat analysis of your workload?,"Security posture was evaluated with standard benchmarks (CIS Control Framework, MITRE framework etc.).",,,,, -e36635af-f52f-77d8-147a-ef4140b98c26,Security,Advisor,Have you done a threat analysis of your workload?,"Business critical workloads, which may adversely affect operations if they are compromised or become unavailable, were identified and classified.",,,,, -cd2e0002-14df-53be-929c-019dfdde0d10,Security,Advisor,DUP- Have you done a threat analysis of your workload?,None of the above.,,,,, -ef250806-68bb-d032-ecf2-9fb36ae55d8c,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Regulatory and governance requirements of this workload are known and well understood.,Regulatory and governance requirements of this workload are known and well understood.,,,, -f2d6ab05-09dc-1535-c5e1-a46eed5bb418,Security,Advisor,DUP- What considerations for compliance and governance did you make in this workload?,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,,,, -31a19c4c-ca72-2d77-34a2-7eb3ef4226cd,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Azure Policies are used to enforce and control security and organizational standards.,,,,, -18e123ce-89ed-dbb6-3a09-21bfacdacf4e,Security,Advisor,DUP- What considerations for compliance and governance did you make in this workload?,Root management group is used and any changes that are applied using this group are carefully considered.,,,,, -935cc377-4f86-188f-0e94-e756d18b5bc4,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Compliance for this workload is systematically monitored and maintained. Regular compliance attestations are performed.,,,,, -beed6c77-e97a-b22f-016c-5040946b5223,Security,Advisor,DUP- What considerations for compliance and governance did you make in this workload?,External or internal audits of this workload are performed periodically.,,,,, -2be7c9d8-3038-809a-dcb0-bf81752ff77f,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Security plan for this workload was developed and is maintained.,,,,, -725cdf48-7dc8-cf5d-21e1-65d035f8859d,Security,Advisor,DUP- What considerations for compliance and governance did you make in this workload?,"Best practices and guidelines, based on industry recommendations, are reviewed and applied proactively.",,,,, -31459bfa-bbf1-ed63-b943-c951b48e0a75,Security,Advisor,What considerations for compliance and governance did you make in this workload?,Attacker vs. defender costs are considered when implementing defenses. Easy and cheap attack methods are always prevented.,,,,, -2141b194-9fc8-ffe8-4365-203de3878d2c,Security,Advisor,DUP- What considerations for compliance and governance did you make in this workload?,Attacker access containment is considered when making investments into security solutions.,,,,, -3397c305-da11-b92f-378b-ccefe7a5b7d2,Security,Advisor,What considerations for compliance and governance did you make in this workload?,None of the above.,,,,, -1929c97c-7868-b7ad-9262-3f148be11701,Security,Advisor,DUP- What practices and tools have you implemented as part of the development cycle?,"A list of dependencies, frameworks and libraries used by this workload is maintained and updated regularly.",,,,, -3e66ca9f-dca8-23e8-b34e-307f67ae0dc0,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,Framework and library updates are included into the workload lifecycle.,,,,, -de7e0213-5e4d-1a8a-37aa-f30e60c53eb4,Security,Advisor,DUP- What practices and tools have you implemented as part of the development cycle?,"Technologies and frameworks used in this workload are fully understood, including their vulnerabilities.",,,,, -95ee82d9-e758-5b04-2844-c8ca1a840977,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"Security updates to VMs are applied in a timely manner, and strong passwords exist on those VMs for any local administrative accounts that may be in use.",,,,, -3b8fbbbb-86d2-ddd4-d469-c9a76851e336,Security,Advisor,DUP- What practices and tools have you implemented as part of the development cycle?,All cloud services used by this workload are identified and it is understood how to configure them securely.,,,,, -48490cd4-4783-2fc8-65b7-32e7629a9594,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,"Personally identifiable information (PII) is detected and removed/obfuscated automatically for this workload, including application logs.",,,,, -e0ed3409-9c54-4c8f-1ee8-51d2b860e02f,Security,Advisor,DUP- What practices and tools have you implemented as part of the development cycle?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -b6f84f68-2fe2-9cc7-72e3-4c74246c8451,Security,Advisor,What practices and tools have you implemented as part of the development cycle?,Elevated security capabilities such as dedicated Hardware Security Modules (HSMs) or the use of Confidential Computing was implemented or considered implementing?,,,,, -a5406d8c-cebc-9ecf-0722-7b9568a466bf,Security,Advisor,DUP- What practices and tools have you implemented as part of the development cycle?,None of the above.,None of the above.,,,, -c1c208ec-60c4-0bd8-be30-8e338e22cd05,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Formal DevOps approach to building and maintaining software in this workload was adopted.,,,,, -b64e834e-b1e6-adde-1ae5-ea54c35863fe,Security,Advisor,DUP- Have you adopted a formal secure DevOps approach to building and maintaining software?,"DevOps security guidance based on industry lessons-learned, and available automation tools (OWASP guidance, Microsoft toolkit for Secure DevOps etc.) is leveraged.",,,,, -561c3787-3fa8-626d-116e-9bef61701316,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Gates and approvals are configured in DevOps release process of this workload.,,,,, -257c40fc-e55c-f687-afea-0023e6fb0da2,Security,Advisor,DUP- Have you adopted a formal secure DevOps approach to building and maintaining software?,"Security team is involved in planning, design and the rest of DevOps process of this workload.",,,,, -96bab18b-ba55-11e4-5b9d-03ff91b00f1f,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Deployments are automated and it's possible to deploy N+1 and N-1 version (where N is the current production).,,,,, -5e885369-f711-0b31-f8bf-40b2b67c362b,Security,Advisor,DUP- Have you adopted a formal secure DevOps approach to building and maintaining software?,Code scanning tools are integrated as part of the continuous integration (CI) process for this workload and cover also 3rd party dependencies.,,,,, -ad4183d4-53e3-cff6-b640-597afbe9f1e6,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Credentials, certificates and other secrets are managed in a secure manner inside of CI/CD pipelines.",,,,, -e49846a5-ebf5-f6f3-4f59-d058f552730c,Security,Advisor,DUP- Have you adopted a formal secure DevOps approach to building and maintaining software?,"Branch policies are used in source control management, main branch is protected and code reviews are required.",,,,, -843e9119-37f3-99ba-093a-477bedec574f,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,Security controls are applied to all self-hosted build agents used by this workload (if any).,,,,, -1b13031a-4787-7e46-40f7-9ea0e176e879,Security,Advisor,DUP- Have you adopted a formal secure DevOps approach to building and maintaining software?,CI/CD roles and permissions are clearly defined for this workload.,,,,, -397c1fb4-0a75-9df7-a0e1-83578d0f5ad8,Security,Advisor,Have you adopted a formal secure DevOps approach to building and maintaining software?,None of the above.,None of the above.,,,, -fbcf30ab-8d3a-3172-46cb-553a7915a5fc,Security,Advisor,DUP- Is the workload developed and configured in a secure way?,Cloud services are used for well-established functions instead of building custom service implementations.,,,,, -ec2bfc97-c26b-70bb-db7c-b238df2e92d9,Security,Advisor,Is the workload developed and configured in a secure way?,Detailed error messages and verbose information are hidden from the end user/client applications. Exceptions in code are handled gracefully and logged.,,,,, -2d5b6cbc-869e-9c51-f52f-fdf270091686,Security,Advisor,DUP- Is the workload developed and configured in a secure way?,Platform specific information (e.g. web server version) is removed from server-client communication channels.,,,,, -ad1a7fae-29a7-ef1b-a113-bcd6e9e429fb,Security,Advisor,Is the workload developed and configured in a secure way?,CDN (content delivery network) is used to separate the hosting platform and end-users/clients.,,,,, -abb06d86-4f44-4b1a-e204-37459c8d96cb,Security,Advisor,DUP- Is the workload developed and configured in a secure way?,"Application configuration is stored using a dedicated configuration management system (Azure App Configuration, Azure Key Vault etc.)",,,,, -85beae34-b5e0-9271-d251-b1758637636e,Security,Advisor,Is the workload developed and configured in a secure way?,"Access to data storage is identity-based, whenever possible.",,,,, -5d6302e8-202b-0f13-d357-d60f81654d9d,Security,Advisor,DUP- Is the workload developed and configured in a secure way?,Authentication tokens are cached securely and encrypted when sharing across web servers.,,,,, -81b2cea4-bc36-00b3-06ef-eb69cebb491f,Security,Advisor,Is the workload developed and configured in a secure way?,There are controls in place for this workload to detect and protect from data exfiltration.,,,,, -20784133-cb96-1c32-9167-48f3f4c8a5df,Security,Advisor,DUP- Is the workload developed and configured in a secure way?,None of the above.,None of the above.,,,, -3fd46641-9061-0336-5e9d-01d1d0d1f235,Security,Advisor,How are you monitoring security-related events in this workload?,Tools like Azure Security Center are used to discover and remediate common risks within Azure tenants.,,,,, -6c669070-8613-dcdf-3542-f7c1b247da6b,Security,Advisor,DUP- How are you monitoring security-related events in this workload?,A central SecOps team monitors security related telemetry data for this workload.,,,,, -6b2c3433-1440-623b-30ad-f3f8135c84be,Security,Advisor,How are you monitoring security-related events in this workload?,The security team has read-only access into all cloud environment resources for this workload.,,,,, -8dd14cc4-5385-470b-2923-0e2669903c54,Security,Advisor,DUP- How are you monitoring security-related events in this workload?,"The security team has access to and monitor all subscriptions and tenants that are connected to the existing cloud environment, relative to this workload.",,,,, -21f9bc86-0c76-95bf-ae3c-05dd61d0d549,Security,Advisor,How are you monitoring security-related events in this workload?,Identity related risk events related to potentially compromised identities are actively monitored.,,,,, -b04a8c5f-b574-3c33-7876-bd29c4e9c790,Security,Advisor,DUP- How are you monitoring security-related events in this workload?,"Communication, investigation and hunting activities are aligned with the workload team.",,,,, -958b2497-b836-3b6c-bfdb-b5b030a1f2a0,Security,Advisor,How are you monitoring security-related events in this workload?,Periodic & automated access reviews of the workload are conducted to ensure that only authorized people have access?,,,,, -dd3cd59b-35bd-4e1d-b8c3-c464ad51feae,Security,Advisor,DUP- How are you monitoring security-related events in this workload?,Cloud application security broker (CASB) is leveraged in this workload.,,,,, -b763e86a-d4c7-838c-dd38-840a97186809,Security,Advisor,How are you monitoring security-related events in this workload?,A designated point of contact was assigned for this workload to receive Azure incident notifications from Microsoft.,,,,, -4f701c6e-381c-d12f-bfed-500b04f5cf59,Security,Advisor,DUP- How are you monitoring security-related events in this workload?,None of the above.,None of the above.,,,, -d487d47b-9695-20b7-1125-4ebf0a954c4a,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"For containerized workloads, Azure Defender (Azure Security Center) or other third-party solution is used to scan for vulnerabilities.",,,,, -6da1ef86-135c-7f14-030a-c4be6173f40e,Security,Advisor,DUP- How is security validated and how do you handle incident response when breach happens?,Penetration testing is performed in-house or a third-party entity performs penetration testing of this workload to validate the current security defenses.,,,,, -7d1446a3-a951-1bc7-e8b9-c048e1791202,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"Simulated attacks on users of this workload, such as phishing campaigns, are carried out regularly.",,,,, -f9a1220e-b455-2da1-1067-9def12503633,Security,Advisor,DUP- How is security validated and how do you handle incident response when breach happens?,Operational processes for incident response are defined and tested for this workload.,,,,, -5afd7ec1-0221-79e3-7a5d-837ed9e7774c,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,"Playbooks are built to help incident responders quickly understand the workload and components, to mitigate an attack and do an investigation.",,,,, -cc3c0825-23f0-da09-4e59-9db4b670f004,Security,Advisor,DUP- How is security validated and how do you handle incident response when breach happens?,There's a security operations center (SOC) that leverages a modern security approach.,,,,, -47e738cb-4a4e-fc7a-972c-f3561f2d3ea0,Security,Advisor,How is security validated and how do you handle incident response when breach happens?,A security training program is developed and maintained to ensure security staff of this workload are well-informed and equipped with the appropriate skills.,,,,, -1d817dad-eb58-dc07-5d11-8b6d769dab40,Security,Advisor,DUP- How is security validated and how do you handle incident response when breach happens?,None of the above.,None of the above.,,,, -e5674bb0-0f70-caac-da0e-5a94e1f247d0,Security,Advisor,How is connectivity secured for this workload?,"Services used by this workload, which should not be accessible from public IP addresses, are protected with network restrictions / IP firewall rules.",,,,, -fd742a02-36b4-7a13-a184-69cbd6684e74,Security,Advisor,DUP- How is connectivity secured for this workload?,Service Endpoints or Private Links are used for accessing Azure PaaS services.,,,,, -9bf39665-dbbf-5aeb-2766-f7cc888f9162,Security,Advisor,How is connectivity secured for this workload?,Azure Firewall or any 3rd party next generation firewall is used for this workload to control outgoing traffic of Azure PaaS services (data exfiltration protection) where Private Link is not available.,,,,, -1c3bfe77-9195-b660-0804-0ec02c3196c7,Security,Advisor,DUP- How is connectivity secured for this workload?,Network security groups (NSG) are used to isolate and protect traffic within the workloads VNet.,,,,, -f3d828ad-12d8-7625-b8e4-47c7193ee111,Security,Advisor,How is connectivity secured for this workload?,NSG flow logs are configured to get insights about incoming and outgoing traffic of this workload.,,,,, -79ad30ed-b521-ad28-01c1-3f0fe2e931fe,Security,Advisor,DUP- How is connectivity secured for this workload?,"Access to the workload backend infrastructure (APIs, databases, etc.) is restricted to only a minimal set of public IP addresses - only those who really need it.",,,,, -16612b96-6658-ef4a-9050-fd39fbf0fef2,Security,Advisor,How is connectivity secured for this workload?,Identified groups of resources are isolated from other parts of the organization to aid in detecting and containing adversary movement within the enterprise.,,,,, -f2409c9b-90b6-54cd-81c5-ee12e2e32596,Security,Advisor,DUP- How is connectivity secured for this workload?,"All public endpoints of this workload are protected/secured with appropriate solution (i.e. Azure Front Door, Azure Firewall...).",,,,, -9fdbe3fe-57ae-1a21-8d33-ca7fd6148610,Security,Advisor,How is connectivity secured for this workload?,"Publishing methods for this workload (e.g FTP, Web Deploy) are protected.",,,,, -10831644-0c0e-7f92-4857-5097ed277fab,Security,Advisor,DUP- How is connectivity secured for this workload?,Code is published to this workload using CI/CD process instead of manually.,,,,, -8e282d03-e3ee-7702-ee93-9b00067e0875,Security,Advisor,How is connectivity secured for this workload?,"Workload virtual machines running on premises or in the cloud don't have direct internet connectivity for users that may perform interactive logins, or by applications running on virtual machines.",,,,, -00f0c7fe-be07-d9ca-4ab8-7dbde220c20a,Security,Advisor,DUP- How is connectivity secured for this workload?,There's a capability and plans in place to mitigate DDoS attacks for this workload.,,,,, -d497b20a-cdc0-fabb-bf5c-fbd424e65930,Security,Advisor,How is connectivity secured for this workload?,None of the above.,None of the above.,,,, -aef28f02-d7fa-4f98-8ecd-e41f914815c9,Security,Advisor,DUP- How have you secured the network of your workload?,"There's a designated group within the organization, which is responsible for centralized network management security of this workload.",,,,, -162bdad9-2097-0fa2-7c8f-05d14d3b9142,Security,Advisor,How have you secured the network of your workload?,"There are controls in place to ensure that security extends past the network boundaries of the workload in order to effectively prevent, detect, and respond to threats.",,,,, -d3ac057b-883d-4916-5edd-e4bb968744a2,Security,Advisor,DUP- How have you secured the network of your workload?,Enhanced network visibility is enabled by integrating network logs into a Security information and event management (SIEM) solution or similar technology.,,,,, -a84e813d-33c5-a3c5-116f-f0cc337dd6ba,Security,Advisor,How have you secured the network of your workload?,Cloud virtual networks are designed for growth based on an intentional subnet security strategy.,,,,, -bd0c4e5e-830b-2176-3adc-0e16b4559dd4,Security,Advisor,DUP- How have you secured the network of your workload?,"This workload has a security containment strategy that blends existing on-premises security controls and practices with native security controls available in Azure, and uses a zero-trust approach.",,,,, -75cb7167-99ea-cc94-5989-873c85326970,Security,Advisor,How have you secured the network of your workload?,Legacy network security controls for data loss prevention were deprecated.,,,,, -61f5e443-3652-7cf3-d91c-dc3938ecb6a7,Security,Advisor,DUP- How have you secured the network of your workload?,"Traffic between subnets, Azure components and tiers of the workload is managed and protected.",,,,, -0a13635e-82f8-4b2b-8a7a-05ca131da82b,Security,Advisor,How have you secured the network of your workload?,None of the above.,None of the above.,,,, -cb625627-8173-0646-8ebb-0d21a5d994c1,Security,Advisor,DUP- How are you managing encryption for this workload?,The workload uses industry standard encryption algorithms instead of creating own.,,,,, -bc5e1e65-a69b-af9c-60ef-fa25cf7a933a,Security,Advisor,How are you managing encryption for this workload?,The workload communicates over encrypted (TLS / HTTPS) network channels only.,,,,, -68d87aa0-af61-ab56-9c05-d8719bff63f4,Security,Advisor,DUP- How are you managing encryption for this workload?,TLS 1.2 or 1.3 is used by default across this workload.,,,,, -eb4520c2-be7e-b244-aa23-542aa3e02768,Security,Advisor,How are you managing encryption for this workload?,Secure modern hashing algorithms (SHA-2 family) are used.,,,,, -30ab4ac2-c40d-9681-3749-d9911aa8ae68,Security,Advisor,DUP- How are you managing encryption for this workload?,Data at rest is protected with encryption.,,,,, -52395486-eb5f-8ed5-3161-15ad026ecbd1,Security,Advisor,How are you managing encryption for this workload?,Data in transit is encrypted.,,,,, -4464f946-9d28-9030-9ef6-8dbe0f87fdfe,Security,Advisor,DUP- How are you managing encryption for this workload?,Virtual disk files for virtual machines which are associated with this workload are encrypted.,,,,, -21b4e69b-b992-6436-30aa-02901659d272,Security,Advisor,How are you managing encryption for this workload?,None of the above.,None of the above.,,,, -a987603e-4918-6631-3126-de87ce686991,Security,Advisor,"DUP- Are keys, secrets and certificates managed in a secure way?",There's a clear guidance or requirement on what type of keys (PMK - Platform Managed Keys vs. CMK - Customer Managed Keys) should be used for this workload.,,,,, -5f948255-316c-1bb7-79c2-ec00d2b8fa25,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?","Passwords and secrets are managed outside of application artifacts, using tools like Azure Key Vault.",,,,, -2d661770-8a40-fbb9-9e7d-b75ad6db49ae,Security,Advisor,"DUP- Are keys, secrets and certificates managed in a secure way?",Access model for keys and secrets is defined for this workload.,,,,, -000fc155-f781-c4b8-c330-840e946f5f72,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",A clear responsibility / role concept for managing keys and secrets is defined for this workload.,,,,, -983ec8a8-6344-035a-ad54-4edbc0db9e6b,Security,Advisor,"DUP- Are keys, secrets and certificates managed in a secure way?",Secret/key rotation procedures are in place.,,,,, -91c5f441-26db-e1e9-da1e-c489976ad6e3,Security,Advisor,"Are keys, secrets and certificates managed in a secure way?",Expiry dates of SSL/TLS certificates are monitored and there are renewal processes in place.,,,,, -fd93500b-7ea3-5be0-2e11-d4d218a99db7,Security,Advisor,"DUP- Are keys, secrets and certificates managed in a secure way?",None of the above.,None of the above.,,,, -9ee2cfc7-9557-6368-642c-fcaf668d3d0e,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,There are tools and processes in place to grant just-in-time access.,,,,, -0c318fe8-b4cc-e2c7-3e64-714ccf05b76d,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,No user accounts have long-standing write access to production environments.,,,,, -77d7f06e-c5ae-a7a4-1728-b5ad7731c0f9,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Appropriate emergency access accounts are configured for this workload in case of an emergency.,,,,, -ee25dc2a-09e5-20b9-77e3-a71f7619baaa,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,Lines of responsibility and designated responsible parties were clearly defined for specific functions in Azure.,,,,, -d65c1e32-db67-1abd-6dab-09c34533421f,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,The application team has a clear view on responsibilities and individual/group access levels for this workload.,,,,, -4a4cb08c-56ba-ff65-7e81-acb6f64d8267,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,Workload infrastructure is protected with role-based access control (RBAC).,,,,, -729bfe9c-da2f-df0f-38e9-b77cbe928dc4,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Resource locks are leveraged to protect critical infrastructure of this workload.,,,,, -7bdbb199-f2db-9b4d-5301-ca171b7dcbc3,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,"Direct access to the infrastructure through Azure Portal, command-line Interface (CLI) or REST API is limited and CI/CD is preferred.",,,,, -e6f466a4-b014-876e-b416-327bef1ffa42,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,Permissions to Azure workloads are rarely based on individual resources and custom permissions are rarely used.,,,,, -2456d9e7-3dd0-ccea-acc1-d762580f3b73,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,There are processes and tools being used to manage privileged activities. Long standing administrative access is avoided whenever possible.,,,,, -84552995-619b-3c84-596c-f0086e3be7cc,Security,Advisor,What security controls do you have in place for access to Azure infrastructure?,There is a lifecycle management policy for critical accounts in this workload and privileged accounts are reviewed regularly.,,,,, -4c594b73-6a46-602e-c0ea-a49b2347912b,Security,Advisor,DUP- What security controls do you have in place for access to Azure infrastructure?,None of the above.,None of the above.,,,, -fbd7e6d7-665e-e58c-4036-06692a524c0c,Security,Advisor,How are you managing identity for this workload?,When communicating with Azure platform services managed identities are preferred over API keys and connection strings.,,,,, -cb975be0-1113-d336-ab83-32f726694dca,Security,Advisor,DUP- How are you managing identity for this workload?,All APIs in this workload require clients to authenticate.,,,,, -6645401b-481a-3418-45da-b71034248827,Security,Advisor,How are you managing identity for this workload?,"Modern authentication protocols (OAuth 2.0, OpenID) are used by this workload.",,,,, -2e5e1251-4bee-d4aa-8622-73ce2d25f0ee,Security,Advisor,DUP- How are you managing identity for this workload?,"Azure Active Directory or other managed identity provider (Microsoft Account, Azure B2C etc.) is used for user authentication.",,,,, -3d369f79-e2be-351c-946f-4b199671cc2c,Security,Advisor,How are you managing identity for this workload?,Authentication via identity services is prioritized for this workload vs. cryptographic keys.,,,,, -776601f7-4286-8e2d-e021-df7de0bfe390,Security,Advisor,DUP- How are you managing identity for this workload?,Conditional access policies are implemented for users of this workload.,,,,, -63a063cd-0bc2-7b20-b40f-9d8f33f2f016,Security,Advisor,How are you managing identity for this workload?,Password-less or multi-factor authentication (MFA) is enforced for users of this workload.,,,,, -24152878-34f8-498d-ac3a-879fdd7d33de,Security,Advisor,DUP- How are you managing identity for this workload?,Current on-premises Active Directory is synchronized with Azure AD or other cloud identity system.,,,,, -dc462417-919e-677d-f618-3f0962a0f1c4,Security,Advisor,How are you managing identity for this workload?,None of the above.,None of the above.,,,, -8fa8053d-adf2-a3ce-cb08-e2c4636db28a,Cost Optimization,Advisor,DUP- How are you modeling cloud costs of this workload?,Cloud costs are being modelled for this workload.,,,,, -200a14e9-ae6c-0d8b-c32c-75b20f81d807,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,The price model of the workload is clear.,,,,, -007ab17e-d787-4f9e-06de-c8813682071f,Cost Optimization,Advisor,DUP- How are you modeling cloud costs of this workload?,Critical system flows through the application have been defined for all key business scenarios.,,,,, -ca4e641b-9173-d45c-65b0-48beb1af99cf,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,There is a well-understood capacity model for the workload.,,,,, -79617aff-2e20-d8e0-35e7-a93f27fa7f72,Cost Optimization,Advisor,DUP- How are you modeling cloud costs of this workload?,Internal and external dependencies are identified and cost implications understood.,,,,, -d3feeab3-7272-79bd-b09b-1886d4f34456,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Cost implications of each Azure service used by the application are understood.,,,,, -e6de9af4-c273-ee00-10e3-def2f82951b4,Cost Optimization,Advisor,DUP- How are you modeling cloud costs of this workload?,The right operational capabilities are used for Azure services.,,,,, -714bfeae-4b9b-2e01-53bd-2bd0693dd2b8,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,Special discounts given to services or licenses are factored in when calculating new cost models for services being moved to the cloud.,,,,, -91e065b5-36f1-bccc-b485-e119f7e831c8,Cost Optimization,Advisor,DUP- How are you modeling cloud costs of this workload?,Azure Hybrid Use Benefit is used to drive down cost in the cloud.,,,,, -1093d1bb-0030-d98b-176b-9282713a423c,Cost Optimization,Advisor,How are you modeling cloud costs of this workload?,None of the above.,None of the above.,,,, -422350e3-3409-50f1-2f8a-e12efab260b5,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,Budgets are assigned to all services in this workload.,,,,, -67211756-0102-be30-49c7-c5464698d3aa,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a cost owner for every service used by this workload.,,,,, -af727fc7-1954-69db-3faf-2f3a37b4e684,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,Cost forecasting is done to ensure it aligns with the budget.,,,,, -09cdfbfb-fd54-8c20-873b-5a08a6f08478,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a monthly or yearly meeting where the budget is reviewed.,,,,, -86a0d4bb-0313-49b7-fba5-a1d8fb4dd79c,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,Every environment has a target end-date.,,,,, -c2ff8c7e-0a8f-a9ed-a5e7-5f4fda6d815a,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Every environment has a plan for migrating to PaaS or serverless to lower the all up cost and transfer risk.,,,,, -50814dfd-e567-69e8-24bc-93ad9af203c7,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,There is a clear understanding of how budget is defined.,,,,, -6b0efa4d-0242-f6ea-d8f4-6869ede7c355,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,Budget is factored into the building phase.,,,,, -c89f60e9-c2c9-82c5-4831-da970e3e3db6,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,There is an ongoing conversation between the app owner and the business.,,,,, -aa62f06f-43a3-d596-5ea6-0801393b0609,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,There is a plan to modernize the workload.,,,,, -bc6a8bef-632d-3abc-34df-4fe79bc8528a,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -2b9ee473-d4c4-ce7e-fe7a-beb4092242f7,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,The application has a well-defined naming standard for Azure resources.,,,,, -de966b37-3d2f-0dbc-9f82-c1b9ec999ffb,Cost Optimization,Advisor,DUP- How do you govern budgets and application lifespan for this workload?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,,,, -aebe261a-9fa8-202a-e477-35b6f6a50796,Cost Optimization,Advisor,How do you govern budgets and application lifespan for this workload?,None of the above.,None of the above.,,,, -e1cedccf-6182-7424-a06a-383f71ed4a5b,Cost Optimization,Advisor,DUP- How are you monitoring costs of this workload?,Alerts are set for cost thresholds and limits.,,,,, -27dafb41-3607-fafb-1531-f75c7d658315,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Specific owners and processes are defined for each alert type.,,,,, -bf26c15d-b187-3b50-5ad0-8b0c2c48b4bb,Cost Optimization,Advisor,DUP- How are you monitoring costs of this workload?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,,,, -64720348-2d30-2ae6-fb2f-a9f0a80f6004,Cost Optimization,Advisor,How are you monitoring costs of this workload?,Cost Management Tools (such as Azure Cost Management) are being used to track spending in this workload.,,,,, -6fe148cc-0ab5-3247-1950-bb1ded7d0bc7,Cost Optimization,Advisor,DUP- How are you monitoring costs of this workload?,None of the above.,None of the above.,,,, -dcef012b-4341-3176-ec4a-1b1e461ea69a,Cost Optimization,Advisor,How do you optimize the design of this workload?,The application was built natively for the cloud.,,,,, -0df7b80b-8b17-3176-6fa6-9e5d0563c01e,Cost Optimization,Advisor,DUP- How do you optimize the design of this workload?,There is an availability strategy defined and cost implications of it are understood.,,,,, -9e3960d1-ac9c-6a5b-cf8c-c518198e6b11,Cost Optimization,Advisor,How do you optimize the design of this workload?,This workload benefits from higher density.,,,,, -ec7293ec-ea2a-f8c3-641c-bf244501b51d,Cost Optimization,Advisor,DUP- How do you optimize the design of this workload?,Data is being transferred between regions.,,,,, -b0af8c74-5b24-3535-031a-2582825a5cbe,Cost Optimization,Advisor,How do you optimize the design of this workload?,Multi-region deployment is supported and cost implications understood.,,,,, -d94fbe9d-1e49-e3a4-42f2-ddd50fed1794,Cost Optimization,Advisor,DUP- How do you optimize the design of this workload?,The workload is designed to use Availability Zones within a region.,,,,, -ddf7817e-c7a8-3592-3944-8b6a585c193a,Cost Optimization,Advisor,How do you optimize the design of this workload?,None of the above.,None of the above.,,,, -10a67868-8c5b-7ea4-5ba2-1db0e229a6c7,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,Performance requirements are well-defined.,,,,, -5474db76-2280-5bd3-cd68-ae587f2086ce,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Targets for the time it takes to perform scale operations are defined and monitored.,,,,, -d96a58bc-10ab-d5f2-c7a9-c8c2aa87d648,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,The workload is designed to scale independently.,,,,, -353b67f9-f268-aae7-f412-125715eb5e1a,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,The application has been designed to scale both in and out.,,,,, -b3c5c41d-339a-235e-9052-4bea6a136a4b,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,Application components and data are split into groups as part of your disaster recovery strategy.,,,,, -86a058ea-d9de-23fc-440c-08d7ed72b951,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Tools (such as Azure Advisor) are being used to optimise SKUs discovered in this workload.,,,,, -85b03460-87a4-1524-27ac-5ab8fe5d20b2,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,Resources are reviewed weekly or bi-weekly for optimization.,,,,, -c782cd45-423b-98f0-d778-567f8fec8896,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Cost-effective regions are considered as part of the deployment selection.,,,,, -c31c274b-8b52-732e-37f2-eb927a5c72da,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,Dev/Test offerings are used correctly.,,,,, -d6e09c4e-c3de-74cd-6f6a-9aace8189e1e,Cost Optimization,Advisor,How do you ensure that cloud services are appropriately provisioned?,Shared hosting platforms are used correctly.,,,,, -ea8bec59-0284-205d-bbb6-af3e7a6c9c5a,Cost Optimization,Advisor,DUP- How do you ensure that cloud services are appropriately provisioned?,None of the above.,None of the above.,,,, -3b18c654-d2ee-8b84-5e1e-775bb99d2aa1,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is an automated process to deploy application releases to production.,,,,, -9cfbd0b0-3299-410f-0f6b-5bb791411819,Cost Optimization,Advisor,DUP- What considerations for DevOps practices are you making in this workload?,There is a difference in configuration for production and non-production environments.,,,,, -d010e6db-18be-1799-a3c2-f0de92ae59ea,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,Test-environments are deployed automatically and deleted after use.,,,,, -054b89b3-40b1-35c5-0671-485b97904bfb,Cost Optimization,Advisor,DUP- What considerations for DevOps practices are you making in this workload?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,,,, -2b7c92e7-9bc5-3443-d30c-38b9db6be9a2,Cost Optimization,Advisor,What considerations for DevOps practices are you making in this workload?,There is awareness regarding the ratio of cost of production and non-production environments for this workload.,,,,, -2d37b9d8-50c1-8c56-314c-48d7a32d0449,Cost Optimization,Advisor,DUP- What considerations for DevOps practices are you making in this workload?,None of the above.,None of the above.,,,, -7b72aac6-fd03-532c-624a-8aaf4e4cfdad,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Appropriate SKUs are used for workload servers.,,,,, -6e316454-4e2c-d4cd-5a47-67a4101241dc,Cost Optimization,Advisor,DUP- How do you manage compute costs for this workload?,Appropriate operating systems are used in the workload.,,,,, -8deafb8e-cf91-a653-7bae-9dd015d700c1,Cost Optimization,Advisor,How do you manage compute costs for this workload?,A recent review of SKUs that could benefit from Reserved Instances for 1 or 3 years or more has been performed.,,,,, -77ff5671-75af-ae73-224f-bc85b91f083f,Cost Optimization,Advisor,DUP- How do you manage compute costs for this workload?,Burstable (B) series VM sizes are used for VMs that are idle most of the time and have high usage only in certain periods.,,,,, -d58c2f8c-0f43-383e-c38b-f4a8956dd089,Cost Optimization,Advisor,How do you manage compute costs for this workload?,VM instances which are not used are shut down.,,,,, -9ae1855c-395c-e98e-ea86-ffede1e35209,Cost Optimization,Advisor,DUP- How do you manage compute costs for this workload?,Spot virtual machines are used.,,,,, -504e29a0-1ea1-a781-2728-4c14552f2960,Cost Optimization,Advisor,How do you manage compute costs for this workload?,PaaS is used as an alternative to buying virtual machines.,,,,, -7426d8dd-df3f-84f2-6bb2-ec97497f4f3b,Cost Optimization,Advisor,DUP- How do you manage compute costs for this workload?,Costs are optimized by using the App Service Premium (v3) plan over the Premium (Pv2) plan.,,,,, -7932b8d7-56b5-bcd0-6817-e61a5c1be5aa,Cost Optimization,Advisor,How do you manage compute costs for this workload?,Zone to Zone disaster recovery is used for virtual machines.,,,,, -3b81fe72-3d39-3846-53a7-f5379f377e52,Cost Optimization,Advisor,DUP- How do you manage compute costs for this workload?,The Start/Stop feature in Azure Kubernetes Services (AKS) is used.,,,,, -fc978f0b-116f-faaf-d7e9-26ea7c074695,Cost Optimization,Advisor,How do you manage compute costs for this workload?,None of the above.,None of the above.,,,, -c9af77f7-eb3c-496d-a47d-05c96d5c8776,Cost Optimization,Advisor,DUP- How do you manage networking costs for this workload?,Service Endpoints or Private Link are used for accessing Azure PaaS services.,,,,, -309e5271-63a0-cb0e-0f2c-6fb8c66008e6,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Hub and spoke design pricing is understood.,,,,, -13720def-a339-d9dd-d120-6bde319dff18,Cost Optimization,Advisor,DUP- How do you manage networking costs for this workload?,Microsoft backbone network is preferred.,,,,, -d108c6a8-07d3-ab51-bc3c-2caf243eb784,Cost Optimization,Advisor,How do you manage networking costs for this workload?,DDoS attack mitigation plans and capabilities are in place.,,,,, -bf23c3c7-6323-2fde-2360-d61335db8582,Cost Optimization,Advisor,DUP- How do you manage networking costs for this workload?,"Azure Front Door, Azure App Gateway or Web Application Firewall is used.",,,,, -fa6900d0-8575-1cbf-d7a9-8fb762a1cef7,Cost Optimization,Advisor,How do you manage networking costs for this workload?,The workload is connected between regions (using network peering or gateways).,,,,, -9eb845a8-d7df-3032-c23d-c5119a7f09e8,Cost Optimization,Advisor,DUP- How do you manage networking costs for this workload?,Azure resources are connecting to the internet via on-premises.,,,,, -08bf25f4-9fe5-8d6a-9936-92a314e24f0d,Cost Optimization,Advisor,How do you manage networking costs for this workload?,Public IPs and orphaned NICs are regularly cleaned up.,,,,, -a6cbcefe-6dd2-ef1f-cea5-a7bb944b4bfd,Cost Optimization,Advisor,DUP- How do you manage networking costs for this workload?,None of the above.,None of the above.,,,, -f71ad8f1-2698-c650-eaaa-ffc2b8423e5e,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Reserved capacity is used for data in block blob storage.,,,,, -74d17179-274b-06b3-ebc2-ffe4b1f4c998,Cost Optimization,Advisor,DUP- How do you manage storage and data costs for this workload?,Data is organized into access tiers.,,,,, -31f279d4-6fad-b2dd-747b-edb86032084e,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Life-cycle policy is used to move data between access tiers.,,,,, -892ee65e-3511-5be3-7dc5-27c87e4d2818,Cost Optimization,Advisor,DUP- How do you manage storage and data costs for this workload?,Shared disks are leveraged for suitable workloads.,,,,, -fa4bc916-a9e7-5334-fc16-22c667dd8a26,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Reserved premium disks (P30 & above) are used.,,,,, -9c795df2-b2a8-aa9e-b351-05e8a6af505e,Cost Optimization,Advisor,DUP- How do you manage storage and data costs for this workload?,Bursting for P20 and below disks is utilized for suitable workloads.,,,,, -68a238e2-a4c2-953f-96ed-ae386d79b190,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,"For database workloads, data and log files are stored on separate disks.",,,,, -38860e0e-bf61-16dd-140b-7c677d41c56c,Cost Optimization,Advisor,DUP- How do you manage storage and data costs for this workload?,"Unused storage resources (e.g. unattached disks, old snapshots) are periodically cleaned up.",,,,, -bbfede1d-3d8d-5cb8-1057-3501cc760b16,Cost Optimization,Advisor,How do you manage storage and data costs for this workload?,Selective disk backup and restore for Azure VMs is used.,,,,, -208e46e8-fde8-313b-9b84-d33d637d6629,Cost Optimization,Advisor,DUP- How do you manage storage and data costs for this workload?,None of the above.,None of the above.,,,, \ No newline at end of file diff --git a/WARP/devops/testing/test-assessment.csv b/WARP/devops/testing/test-assessment.csv deleted file mode 100644 index a94224d..0000000 --- a/WARP/devops/testing/test-assessment.csv +++ /dev/null @@ -1,953 +0,0 @@ -"Azure Well-Architected Review - Dec 21, 2021 - 2:41:03 PM",,,,, -,,,,, -Recommendations for your workload,,,,, -Your overall results,Critical,'0/100',,, -Reliability,Critical,'0/100',,, -Security,Critical,'0/100',,, -Cost Optimization,Critical,'0/100',,, -Operational Excellence,Critical,'0/100',,, -Performance Efficiency,Critical,'0/100',,, -WAF Configuration,Not assessed,,,, -Reliability - Azure Machine Learning,Not assessed,,,, -Security - Azure Machine Learning,Not assessed,,,, -Cost Optimization - Azure Machine Learning,Not assessed,,,, -Operational Excellence - Azure Machine Learning,Not assessed,,,, -Performance Efficiency - Azure Machine Learning,Not assessed,,,, -Reliability - Data Management,Not assessed,,,, -Security - Data Management,Not assessed,,,, -Cost Optimization - Data management,Not assessed,,,, -Operational Excellence - Data Management,Not assessed,,,, -Performance Efficiency - Data Management,Not assessed,,,, -,,,,, -Next Steps,,,,, -Review identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,,,, -Define RPO and RTO for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,,,, -Review limits,https://docs.microsoft.com/azure/architecture/framework/DevOps/app-design#limits,,,, -,,,,, -Category,Link-Text,Link,Priority,ReportingCategory,ReportingSubcategory,Weight,Context -Reliability,Identify distinct workloads,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design#considerations-for-improving-reliability,High,Application Design,Design,99,Identify distinct workloads -Reliability,Have clearly defined availability targets,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#workload-availability-targets,High,Application Design,Targets & Non-Functional Requirements,95,Have clearly defined availability targets -Reliability,Compute a composite SLA for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#understand-service-level-agreements,High,Application Design,Targets & Non-Functional Requirements,95,Compute a composite SLA for your workload -Reliability,Identify SLAs for 3rd party dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,High,Application Design,Targets & Non-Functional Requirements,95,Identify SLAs for 3rd party dependencies -Reliability,Identify recovery targets for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,High,Application Design,Targets & Non-Functional Requirements,90,Identify recovery targets for your workload -Reliability,Decouple the lifecycle of the application from its dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,High,Application Design,Dependencies,85,Decouple the lifecycle of the application from its dependencies -Reliability,Perform a failure mode analysis,https://docs.microsoft.com/azure/architecture/resiliency/failure-mode-analysis,High,Application Design,Failure Mode Analysis,85,Perform a failure mode analysis -Reliability,Use semantic logs and metrics,https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview,High,Health Modeling & Monitoring,Monitoring and Measurement,84,Use semantic logs and metrics -Reliability,Monitor long-running workflows for failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/monitoring#long-running-workflow-failures,High,Application Design,Transactional,80,Monitor long-running workflows for failures -Reliability,Measure and monitor key availability targets,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#availability-metrics,High,Application Design,Targets & Non-Functional Requirements,80,Measure and monitor key availability targets -Reliability,Collect and store logs and key metrics of critical components,https://docs.microsoft.com/azure/architecture/framework/Resiliency/monitoring#instrumentation,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Collect and store logs and key metrics of critical components -Reliability,Correlate logs across workload tiers,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#analyzing-data-and-diagnosing-issues,High,Health Modeling & Monitoring,Application Level Monitoring,80,Correlate logs across workload tiers -Reliability,Create a data restoration plan,https://docs.microsoft.com/azure/architecture/reliability/architect#manage-your-data,High,Data Platform Availability,Replication and Redundancy,79,Create a data restoration plan -Reliability,Develop a plan for region/zone/network outages,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#network-outage,High,Application Design,Design,79,Develop a plan for region/zone/network outages -Reliability,Document regional failure plan,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#plan-for-regional-failures,High,Application Platform Availability,Compute Availability,79,Document regional failure plan -Reliability,Create a backup strategy,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#backup-strategy,High,Data Platform Availability,Replication and Redundancy,79,Create a backup strategy -Reliability,Create a disaster recovery plan,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#disaster-recovery-plan,High,Application Design,Design,79,Create a disaster recovery plan -Reliability,Plan for dependent service outages,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#dependent-service-outage,High,Application Design,Dependencies,79,Plan for dependent service outages -Reliability,Use high availability offerings for platform services,https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability,High,Application Platform Availability,Service SKU,77,Use high availability offerings for platform services -Reliability,Validate Availability Zones are in required regions,https://docs.microsoft.com/azure/availability-zones/az-region,High,Capacity & Service Availability Planning,Service Availability,77,Validate Availability Zones are in required regions -Reliability,Operate your workload in multiple regions,https://docs.microsoft.com/azure/availability-zones/az-overview,High,Application Design,Design,77,Operate your workload in multiple regions -Reliability,Deploy to multiple availability zones,https://docs.microsoft.com/azure/availability-zones/az-overview#availability-zones,High,Application Design,Design,75,Deploy to multiple availability zones -Reliability,Detect and remediate faults through chaos engineering,https://docs.microsoft.com/azure/architecture/framework/resiliency/chaos-engineering,Medium,Deployment & Testing,Testing & Validation,57,Detect and remediate faults through chaos engineering -Reliability,Perform chaos testing by injecting faults,https://docs.microsoft.com/azure/architecture/framework/Resiliency/testing#fault-injection-testing,Medium,Deployment & Testing,Testing & Validation,57,Perform chaos testing by injecting faults -Reliability,Test under expected peak load,https://docs.microsoft.com/azure/architecture/framework/Resiliency/testing#test-under-peak-loads,Medium,Deployment & Testing,Testing & Validation,57,Test under expected peak load -Reliability,Have redundant network connections to on-prem data sources,https://docs.microsoft.com/azure/expressroute/cross-network-connectivity,Medium,Networking & Connectivity,Connectivity,55,Have redundant network connections to on-prem data sources -Reliability,Simulate a failure path for cross premise connectivity,https://docs.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering,Medium,Networking & Connectivity,Connectivity,55,Simulate a failure path for cross premise connectivity -Reliability,Manage load balancer connections to avoid port exhaustion,https://docs.microsoft.com/azure/load-balancer/load-balancer-outbound-connections#scenarios,Medium,Application Performance Management,Network Throughput and Latency,54,Manage load balancer connections to avoid port exhaustion -Reliability,Load balance traffic across availability zones,https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones,Medium,Networking & Connectivity,Connectivity,54,Load balance traffic across availability zones -Reliability,Create application specific health probes,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#application-health-probes,Medium,Networking & Connectivity,Zone-Aware Services,54,Create application specific health probes -Reliability,Implement load balancing,https://docs.microsoft.com/azure/architecture/guide/technology-choices/load-balancing-overview,Medium,Networking & Connectivity,Connectivity,54,Implement load balancing -Reliability,Plan for expected usage patterns,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity#preemptively-scaling-based-on-trends,Medium,Application Design,Targets & Non-Functional Requirements,54,Plan for expected usage patterns -Reliability,Automate key rotation,https://docs.microsoft.com/azure/key-vault/secrets/key-rotation-log-monitoring,Medium,Operational Procedures,Configuration & Secrets Management,53,Automate key rotation -Reliability,Backup keys and secrets in a geo-redudant way,https://docs.microsoft.com/azure/key-vault/general/disaster-recovery-guidance,Medium,Operational Procedures,Configuration & Secrets Management,53,Backup keys and secrets in a geo-redudant way -Reliability,Put operational procedures into place for if data size exceeds limits,https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#managing-limits,Medium,Application Performance Management,Data Size/Growth,52,Put operational procedures into place for if data size exceeds limits -Reliability,Automate your tests,https://docs.microsoft.com/azure/architecture/framework/devops/testing#automated-testing,Medium,Deployment & Testing,Testing & Validation,51,Automate your tests -Reliability,Automatically test your failover and failback process,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#failover-and-failback-testing,Medium,Operational Procedures,Recovery & Failover,51,Automatically test your failover and failback process -Reliability,Architect storage for resiliency,https://docs.microsoft.com/azure/architecture/framework/Resiliency/data-management#storage-resiliency,Medium,Data Platform Availability,Service SKU,50,Architect storage for resiliency -Reliability,Distribute data geographically,https://docs.microsoft.com/azure/architecture/framework/Resiliency/data-management#distribute-data-geographically,Medium,Application Design,Design,50,Distribute data geographically -Reliability,Implement request timeouts,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#request-timeouts,Medium,Application Design,Design,50,Implement request timeouts -Reliability,Implement retry logic to handle transient failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#handling-transient-failures,Medium,Application Design,Design,50,Implement retry logic to handle transient failures -Reliability,Implement resiliency strategies in your workload,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#build-resiliency-with-failure-mode-analysis,Medium,Application Design,Design,50,Implement resiliency strategies in your workload -Reliability,Archive application configuration and installation information,https://docs.microsoft.com/azure/architecture/patterns/external-configuration-store#custom-backing-store-example,Medium,Operational Procedures,Configuration & Secrets Management,50,Archive application configuration and installation information -Reliability,Decouple your application services,https://docs.microsoft.com/azure/architecture/guide/design-principles/minimize-coordination,Medium,Application Design,Targets & Non-Functional Requirements,50,Decouple your application services -Reliability,Store session state in an external data store,https://docs.microsoft.com/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/web-development-best-practices,Medium,Operational Procedures,Configuration & Secrets Management,50,Store session state in an external data store -Reliability,Avoid session state,https://docs.microsoft.com/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/web-development-best-practices#sessionstate,Medium,Operational Procedures,Configuration & Secrets Management,50,Avoid session state -Reliability,Create health probes that validate data consistency,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#create-good-health-probes,Medium,Networking & Connectivity,Connectivity,50,Create health probes that validate data consistency -Reliability,Implement application throttling,https://docs.microsoft.com/azure/architecture/patterns/throttling,Medium,Application Design,Design,50,Implement application throttling -Reliability,Segregate read operations from update operations,https://docs.microsoft.com/azure/architecture/patterns/cqrs,Medium,Application Design,Design,50,Segregate read operations from update operations -Security,Configure emergency access accounts,https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access,High,Operational Model & DevOps,Roles & Responsibilities,100,Configure emergency access accounts -Security,Implement threat protection for the workload,https://docs.microsoft.com/azure/security-center/azure-defender,High,Application Design,Threat Analysis,100,Implement threat protection for the workload -Security,Implement established processes and timelines to deploy mitigations for identified threats,https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#3--mitigate-the-identified-threats,High,Application Design,Threat Analysis,90,Implement established processes and timelines to deploy mitigations for identified threats -Security,Scan container workloads for vulnerabilities,https://docs.microsoft.com/azure/security-center/container-security,High,Deployment & Testing,Testing & Validation,90,Scan container workloads for vulnerabilities -Security,Adopt a formal DevSecOps approach to building and maintaining software,https://docs.microsoft.com/azure/architecture/framework/security/deploy,High,Operational Model & DevOps,General,90,Adopt a formal DevSecOps approach to building and maintaining software -Security,Implement a branch policy strategy to enhance DevOps security,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Deployment & Testing,Application Code Deployments,90,Implement a branch policy strategy to enhance DevOps security -Security,Adopt a zero trust approach,https://docs.microsoft.com/azure/security/fundamentals/network-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#adopt-a-zero-trust-approach,High,Networking & Connectivity,Data flow,90,Adopt a zero trust approach -Security,Establish a detection and response strategy for identity risks,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#review-identity-risks,High,Health Modeling & Monitoring,Application Level Monitoring,90,Establish a detection and response strategy for identity risks -Security,Implement security strategy to contain attacker access,https://docs.microsoft.com/azure/architecture/framework/security/resilience#containing-attacker-access,High,Application Design,Application Design,90,Implement security strategy to contain attacker access -Security,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it",https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Connectivity,90,"Restrict access to backend services to a minimal set of public IP addresses, only those who really need it" -Security,Protect all public endpoints with appropriate controls,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#web-application-firewalls-wafs,High,Networking & Connectivity,Endpoints,90,Protect all public endpoints with appropriate controls -Security,Classify your data at rest and use encryption,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-at-rest,High,Security & Compliance,Encryption,90,Classify your data at rest and use encryption -Security,Implement Conditional Access Policies,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#enable-conditional-access,High,Security & Compliance,Authentication and authorization,90,Implement Conditional Access Policies -Security,Adopt threat modeling processes,https://docs.microsoft.com/azure/security/develop/threat-modeling-tool-threats,High,Application Design,Threat Analysis,90,Adopt threat modeling processes -Security,Establish a security operations center (SOC),https://docs.microsoft.com/azure/architecture/framework/security/security-operations,High,Operational Procedures,Incident Response,90,Establish a security operations center (SOC) -Security,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security,https://docs.microsoft.com/azure/architecture/framework/Security/governance#manage-connected-tenants,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security -Security,"Remove platform-specific information from HTTP headers, error messages, and web site content",https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#configuration-security,High,Application Design,Design,70,"Remove platform-specific information from HTTP headers, error messages, and web site content" -Security,Involve the security team in the development process,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/security-governance-and-compliance#service-enablement-framework,High,Operational Model & DevOps,Roles & Responsibilities,70,Involve the security team in the development process -Security,Use service endpoints and private links where appropriate,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints,High,Networking & Connectivity,Connectivity,70,Use service endpoints and private links where appropriate -Security,Use penetration testing and red team exercises to validate security defenses for this workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,High,Deployment & Testing,Testing & Validation,70,Use penetration testing and red team exercises to validate security defenses for this workload -Security,Standardize on modern authentication protocols,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection,High,Security & Compliance,Authentication and authorization,70,Standardize on modern authentication protocols -Security,"Develop and implement a process to track, triage, and address threats into the application development lifecycle",https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model#1--gather-information-about-the-basic-security-controls,High,Application Design,Threat Analysis,70,"Develop and implement a process to track, triage, and address threats into the application development lifecycle" -Security,Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/,High,Operational Procedures,Configuration & Secrets Management,70,Use Managed Identities for authentication to other Azure platform services -Security,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team,https://docs.microsoft.com/azure/governance/policy/overview,High,Security & Compliance,Compliance,70,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team -Security,Establish an incident response plan and perform periodically a simulated execution,https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf,High,Operational Procedures,Incident Response,70,Establish an incident response plan and perform periodically a simulated execution -Security,Conduct periodic access reviews for the workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#enforce-policy-compliance,High,Security & Compliance,Control-plane RBAC,70,Conduct periodic access reviews for the workload -Security,Implement a solution to configure unique local admin credentials,https://docs.microsoft.com/azure/automation/update-management/overview,High,Operational Procedures,Patch & Update Process (PNU),70,Implement a solution to configure unique local admin credentials -Security,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs,https://docs.microsoft.com/azure/architecture/framework/security/deploy-infrastructure#build-environments,High,Deployment & Testing,Build Environments,70,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs -Security,Configure quality gate approvals in DevOps release process,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#gated-approval-process,High,Operational Model & DevOps,Roles & Responsibilities,70,Configure quality gate approvals in DevOps release process -Security,Clearly define CI/CD roles and permissions,https://docs.microsoft.com/azure/architecture/framework/security/deploy-governance#minimize-access,High,Operational Model & DevOps,Roles & Responsibilities,70,Clearly define CI/CD roles and permissions -Security,Review and consider elevated security capabilities for Azure workloads,https://azure.microsoft.com/solutions/confidential-compute/,High,Governance,Standards,70,Review and consider elevated security capabilities for Azure workloads -Security,Automatically remove/obfuscate personally identifiable information (PII) for this workload,https://docs.microsoft.com/azure/search/cognitive-search-skill-pii-detection,High,Health Modeling & Monitoring,Application Level Monitoring,70,Automatically remove/obfuscate personally identifiable information (PII) for this workload -Security,Implement a landing zone concept with Azure Blueprints and Azure Policies,https://docs.microsoft.com/azure/architecture/framework/Security/governance#increase-automation-with-azure-blueprints,High,Application Design,Dependencies,70,Implement a landing zone concept with Azure Blueprints and Azure Policies -Security,Establish lifecycle management policy for critical accounts,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#authorization-for-critical-accounts,High,Security & Compliance,Separation of duties,70,Establish lifecycle management policy for critical accounts -Security,Periodically perform external and/or internal workload security audits,https://docs.microsoft.com/azure/architecture/framework/security/monitor-audit#review-critical-access,High,Security & Compliance,Compliance,70,Periodically perform external and/or internal workload security audits -Security,Follow DevOps security guidance and automation for securing applications,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code,High,Operational Model & DevOps,General,70,Follow DevOps security guidance and automation for securing applications -Security,Discover and remediate common risks to improve Secure Score in Azure Security Center,https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-remediate-common-risks,High,Security & Compliance,Security Center,70,Discover and remediate common risks to improve Secure Score in Azure Security Center -Security,Designate the parties responsible for specific functions in Azure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-role-definitions,High,Operational Model & DevOps,Roles & Responsibilities,70,Designate the parties responsible for specific functions in Azure -Security,Integrate code scanning tools within CI/CD pipeline,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#credential-scanning,High,Deployment & Testing,Application Code Deployments,70,Integrate code scanning tools within CI/CD pipeline -Security,Implement lifecycle management process for SSL/TLS certificates,https://docs.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates,High,Operational Procedures,Configuration & Secrets Management,70,Implement lifecycle management process for SSL/TLS certificates -Security,"Review, prioritize, and proactively apply security best practices to cloud resources",https://docs.microsoft.com/azure/architecture/framework/Security/governance#prioritize-security-best-practices-investments,High,Application Design,Security Criteria & Data Classification,70,"Review, prioritize, and proactively apply security best practices to cloud resources" -Security,Develop a security plan,https://docs.microsoft.com/azure/cloud-adoption-framework/get-started/security#step-3-develop-a-security-plan,High,Application Design,Security Criteria & Data Classification,70,Develop a security plan -Security,Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration,https://docs.microsoft.com/azure/architecture/framework/security/design-network-flow#data-exfiltration,High,Networking & Connectivity,Connectivity,70,Use Azure Firewall or a 3rd party next-generation firewall to protect against data exfiltration -Security,Use NSG or Azure Firewall to protect and control traffic within VNETs,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,High,Networking & Connectivity,Connectivity,70,Use NSG or Azure Firewall to protect and control traffic within VNETs -Security,Establish a unified enterprise segmentation strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Networking & Connectivity,Connectivity,70,Establish a unified enterprise segmentation strategy -Security,Establish security benchmarking using Azure Security Benchmark to align with industry standards,https://docs.microsoft.com/azure/architecture/framework/Security/governance#evaluate-security-using-benchmarks,High,Application Design,Threat Analysis,70,Establish security benchmarking using Azure Security Benchmark to align with industry standards -Security,Protect workload publishing methods and restrict those not in use,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#communication-with-backend-services,High,Networking & Connectivity,Endpoints,70,Protect workload publishing methods and restrict those not in use -Security,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure,High,Operational Model & DevOps,Roles & Responsibilities,70,Implement just-in-time privileged access management -Security,Mitigate DDoS attacks,https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints#mitigate-ddos-attacks,High,Networking & Connectivity,Endpoints,70,Mitigate DDoS attacks -Security,Establish a designated group responsible for central network management,https://docs.microsoft.com/azure/architecture/framework/security/design-segmentation#functions-and-teams,High,Security & Compliance,Network Security,70,Establish a designated group responsible for central network management -Security,Evolve security beyond network controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#evolve-security-beyond-network-controls,High,Security & Compliance,Network Security,70,Evolve security beyond network controls -Security,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring",https://docs.microsoft.com/azure/architecture/framework/Security/governance#remove-virtual-machine-vm-direct-internet-connectivity,High,Networking & Connectivity,Endpoints,70,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring" -Security,Define an access model for keys and secrets,https://docs.microsoft.com/azure/key-vault/general/secure-your-key-vault,High,Operational Procedures,Configuration & Secrets Management,70,Define an access model for keys and secrets -Security,Build a security containment strategy,https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation,High,Security & Compliance,Network Security,70,Build a security containment strategy -Security,Deprecate legacy network security controls,https://docs.microsoft.com/azure/architecture/framework/Security/network-security-containment#discontinue-legacy-network-security-technology,High,Security & Compliance,Network Security,70,Deprecate legacy network security controls -Security,Use only secure hash algorithms (SHA-2 family),https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-replace-insecure-protocols,High,Security & Compliance,Encryption,70,Use only secure hash algorithms (SHA-2 family) -Security,Define security requirements for the workload,https://docs.microsoft.com/azure/governance/policy/concepts/azure-security-benchmark-baseline,High,Application Design,Threat Analysis,70,Define security requirements for the workload -Security,Data in transit should be encrypted at all points to ensure data integrity,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit,High,Security & Compliance,Encryption,70,Data in transit should be encrypted at all points to ensure data integrity -Security,"Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks",https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-classification,High,Security & Compliance,Encryption,70,"Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks" -Security,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Security,Integrate network logs into a Security Information and Event Management (SIEM),https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#leverage-native-detections-and-controls,High,Security & Compliance,Network Security,70,Integrate network logs into a Security Information and Event Management (SIEM) -Security,Establish a process for key management and automatic key rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,Establish a process for key management and automatic key rotation -Security,Identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,Medium,Application Design,Threat Analysis,60,Identify and classify business critical applications -Security,Configure and collect network traffic logs,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#enable-network-visibility,Medium,Networking & Connectivity,Connectivity,60,Configure and collect network traffic logs -Security,"Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication",https://docs.microsoft.com/azure/architecture/framework/security/design-apps-considerations#use-azure-services-for-fundamental-components,Medium,Application Design,Design,60,"Use services available from a cloud provider for well-established functions like databases, encryption, identity directory, and authentication" -Security,Implement security playbooks for incident response,https://docs.microsoft.com/azure/security-center/workflow-automation,Medium,Operational Procedures,Incident Response,60,Implement security playbooks for incident response -Security,Develop a security training program,https://www.microsoft.com/itshowcase/blog/how-microsoft-is-transforming-its-approach-to-security-training/,Medium,Operational Model & DevOps,Roles & Responsibilities,60,Develop a security training program -Security,Regularly simulate attacks against critical accounts,https://docs.microsoft.com/azure/architecture/framework/Security/critical-impact-accounts#attack-simulation-for-critical-impact-accounts,Medium,Deployment & Testing,Testing & Validation,60,Regularly simulate attacks against critical accounts -Security,Ensure security team has Security Reader or equivalent to support all cloud resources in their purview,https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Medium,Security & Compliance,Control-plane RBAC,60,Ensure security team has Security Reader or equivalent to support all cloud resources in their purview -Security,Configure web apps to reuse authentication tokens securely and handle them like other credentials,https://docs.microsoft.com/azure/active-directory/develop/msal-acquire-cache-tokens,Medium,Security & Compliance,Authentication and authorization,60,Configure web apps to reuse authentication tokens securely and handle them like other credentials -Security,Use standard and recommended encryption algorithms,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#standard-encryption-algorithms,Medium,Security & Compliance,Encryption,60,Use standard and recommended encryption algorithms -Security,Synchronize on-premises directory with Azure AD,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems,Medium,Security & Compliance,Authentication and authorization,60,Synchronize on-premises directory with Azure AD -Security,Leverage a cloud application security broker (CASB),https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security,Medium,Networking & Connectivity,Data flow,60,Leverage a cloud application security broker (CASB) -Security,Design virtual networks for growth,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,Medium,Security & Compliance,Network Security,60,Design virtual networks for growth -Security,"Add planning, testing, and validation rigor to the use of the root management group",https://docs.microsoft.com/azure/architecture/framework/security/design-management-groups#use-root-management-group-with-caution,Medium,Security & Compliance,Control-plane RBAC,60,"Add planning, testing, and validation rigor to the use of the root management group" -Security,Maintain a list of frameworks and libraries as part of the application inventory,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,60,Maintain a list of frameworks and libraries as part of the application inventory -Security,Assign permissions based on management or resource groups,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization#resource-based-authorization,Medium,Security & Compliance,Control-plane RBAC,60,Assign permissions based on management or resource groups -Security,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code#rollback-and-roll-forward,Medium,Deployment & Testing,Application Code Deployments,60,Implement automated deployment process with rollback/roll-forward capabilities -Security,Implement identity-based storage access controls,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#azure-encryption-features,Medium,Security & Compliance,Encryption,60,Implement identity-based storage access controls -Security,Implement role-based access control for application infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#roles-and-permission-assignment,Medium,Security & Compliance,Separation of duties,50,Implement role-based access control for application infrastructure -Security,Establish a SecOps team and monitor security related events,https://docs.microsoft.com/azure/architecture/framework/security/monitor-security-operations#incident-response,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Establish a SecOps team and monitor security related events -Security,"Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload",https://docs.microsoft.com/azure/security/fundamentals/encryption-models,Medium,Operational Procedures,Configuration & Secrets Management,50,"Provide guidance for either platform managed keys (PMK) or customer managed keys (CMK), based on security or compliance requirements of this workload" -Security,Continuously assess and monitor compliance,https://docs.microsoft.com/azure/security-center/security-center-compliance-dashboard#assess-your-regulatory-compliance,Medium,Security & Compliance,Compliance,50,Continuously assess and monitor compliance -Security,Make sure that all regulatory requirements are known and well understood,https://docs.microsoft.com/azure/architecture/framework/security/design-regulatory-compliance#gather-regulatory-requirements,Medium,Governance,Standards,50,Make sure that all regulatory requirements are known and well understood -Security,Make sure you understand the security features/capabilities available for each service and how they can be used in the solution,https://docs.microsoft.com/azure/architecture/framework/security/design-apps-services,Medium,Application Design,Application Composition,50,Make sure you understand the security features/capabilities available for each service and how they can be used in the solution -Security,Identify technologies and frameworks used by the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Application Composition,50,Identify technologies and frameworks used by the application -Security,Update frameworks and libraries as part of the application lifecycle,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,50,Update frameworks and libraries as part of the application lifecycle -Security,Restrict application infrastructure access to CI/CD only,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#application-deployment,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Restrict application infrastructure access to CI/CD only -Security,Use identity services instead of cryptographic keys when available,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#identity-based-access-control,Medium,Security & Compliance,Authentication and authorization,50,Use identity services instead of cryptographic keys when available -Security,Establish a designated point of contact to receive Azure incident notifications from Microsoft,https://docs.microsoft.com/azure/architecture/framework/Security/governance#assign-incident-notification-contact,Medium,Security & Compliance,Separation of duties,50,Establish a designated point of contact to receive Azure incident notifications from Microsoft -Security,Enforce password-less or Multi-factor Authentication (MFA),https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-passwordless-authentication,Medium,Security & Compliance,Authentication and authorization,50,Enforce password-less or Multi-factor Authentication (MFA) -Security,Use managed identity providers to authenticate to this workload,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,Medium,Security & Compliance,Authentication and authorization,50,Use managed identity providers to authenticate to this workload -Security,Establish process and tools to manage privileged access with just-in-time capabilities,https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices?bc=%2fazure%2farchitecture%2fbread%2ftoc.json&toc=%2fazure%2farchitecture%2ftoc.json#lower-exposure-of-privileged-accounts,Medium,Security & Compliance,Separation of duties,50,Establish process and tools to manage privileged access with just-in-time capabilities -Security,Limit long-standing write access to production environments only to service principals,https://docs.microsoft.com/azure/architecture/framework/security/design-admins#no-standing-access--just-in-time-privileges,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Limit long-standing write access to production environments only to service principals -Security,Implement resource locks to protect critical infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#management-locks,Medium,Security & Compliance,Control-plane RBAC,40,Implement resource locks to protect critical infrastructure -Security,Implement defenses that detect and prevent commodity attacks,https://docs.microsoft.com/azure/architecture/framework/security/resilience#increasing-attacker-cost,Low,Application Design,Security Criteria & Data Classification,30,Implement defenses that detect and prevent commodity attacks -Security,"Define a process for aligning communication, investigation and hunting activities with the application team",https://docs.microsoft.com/azure/architecture/framework/Security/governance#security-team-visibility,Low,Health Modeling & Monitoring,Application Level Monitoring,30,"Define a process for aligning communication, investigation and hunting activities with the application team" -Security,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging,Low,Governance,Standards,30,Enforce naming conventions and resource tagging for all Azure resources -Security,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#internet-edge-traffic,Low,Networking & Connectivity,Endpoints,30,Use CDN to optimize delivery performance to users and obfuscate hosting platform from users/clients -Cost Optimization,Use RBAC to contol access to dashboards and data,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs#provide-the-right-level-of-cost-access,High,Health Modeling & Monitoring,Dashboarding,90,"Are the dashboards openly available in your organization or do you limit access based on roles etc.? For example: developers usually don't need to know the overall cost of Azure for the company, but it might be good for them to be able to watch a particular workload." -Cost Optimization,Learn if there are any discounts available for the services already in use,https://azure.microsoft.com/en-us/pricing/,High,Governance,Licensing,90,When alternative cost options are considered it should be understood first if any special offers or deals are given for the existing SKUs to verify that the correct prices are being used to build a business case. -Cost Optimization,Consider reserved capacity for Storage,https://docs.microsoft.com/azure/storage/blobs/storage-blob-reserved-capacity,High,Capacity & Service Availability Planning,Efficiency,90,Azure Storage reserved capacity can significantly reduce your capacity costs for block blobs and Azure Data Lake Storage Gen2 data. You can purchase Azure Storage reserved capacity in units of 100 TiB and 1 PiB per month for a one-year or three-year term -Cost Optimization,Look for Public IPs and orphaned NICs,https://docs.microsoft.com/azure/virtual-machines/linux/find-unattached-nics,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,90,"When you delete a VM, some of the resources such as NICs or Managed Disks are not deleted by default. It is recommended to delete those resources if they are no longer needed." -Cost Optimization,Understand the Azure services used and cost implications,https://docs.microsoft.com/azure/architecture/framework/cost/design-initial-estimate,High,Application Design,Application Composition,90,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the application platform to host both application code and data. In a discussion around cost, this can drive decisions towards the right replacements (e.g. moving from Virtual Machines to containers to increase efficiency, or migrating to .NET Core to use cheaper SKUs etc.)." -Cost Optimization,Define a capacity model,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity,High,Application Design,Scalability & Capacity Model,90,Right sizing your infrastructure to meet the needs of your applications can save you considerably as opposed to a 'one size fits all' solution often employed with on-premises hardware. Identify the needs of your application and choose the resources that best fit those needs. -Cost Optimization,Consider utilizing disk bursting,https://docs.microsoft.com/azure/virtual-machines/disk-bursting,High,Capacity & Service Availability Planning,Efficiency,90,"Azure offers the ability to boost disk storage IOPS and MB/s performance. Consider using disk bursting for some scenarios such as improve startup times, handle back jobs, traffic spikes." -Cost Optimization,Separate data and log disks,https://docs.microsoft.com/sql/relational-databases/policy-based-management/place-data-and-log-files-on-separate-drives?view=sql-server-ver15,High,Application Design,Design,90,"Placing both data and log files on the same device can cause contention for that device, resulting in poor performance. Placing the files on separate drives allows the I/O activity to occur at the same time for both the data and log files." -Cost Optimization,Organize data into access tiers,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/storage-options,High,Application Design,Application Composition,90,"Azure offers multiple products and services for different storage capabilities. Review the different options available and decide which one is better for your workload. After you identify the Storage resources that best match your requirements, use the detailed documentation available to familiarize yourself with these services." -Cost Optimization,Differentiate between production and non-production configuration,https://docs.microsoft.com/azure/architecture/framework/cost/design-resources#subscription-and-offer-type,High,Application Design,Design,90,Azure usage rates and billing periods can vary depending on the subscription and offer type. Some subscription types also include usage allowances or lower prices. -Cost Optimization,Enforce naming conventions and resource tagging for all Azure resources,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,High,Governance,Standards,90,Use tags on resources and resource groups to track the incurred costs. Identify the service meters that can't be tagged or viewed in the cost analysis tool in Azure portal. -Cost Optimization,Define performance requirements,https://docs.microsoft.com/azure/architecture/framework/cost/tradeoffs#cost-versus-performance-efficiency,High,Capacity & Service Availability Planning,Efficiency,90,"As you design the workload, identify the ideal ratio between cost and performance. Analyze and compare factors such as fixed or consumption-based resources, compare prices between different regions and understand if the performance of the application will be degraded if the resource is deployed in a regions that is cheaper." -Cost Optimization,Select the right operating system,https://docs.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree,High,Capacity & Service Availability Planning,Efficiency,90,"Analyze the technology stack and identify which workloads are capable of running on Linux and which require Windows. Linux-based VMs and App Services are significantly cheaper, but require the app to run on supported stack (.NET Core, Node.js etc.).Select the right operating system" -Cost Optimization,Revisit new Azure services,https://azure.microsoft.com/en-us/updates/,High,Governance,Financial Management & Cost Models,90,"Consider revisiting new Azure Services in a regular basis, as it can help you understanding if there is a newer SKU for a particular service that could be a better fit for this application. " -Cost Optimization,Cleanup Storage regularly,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-checklist,High,Governance,Financial Management & Cost Models,90,Review your storage account to understand if there is any piece of data that can be deleted or moved to a different tier. -Cost Optimization,Use Azure Advisor,https://docs.microsoft.com/azure/advisor/advisor-cost-recommendations,High,Capacity & Service Availability Planning,Service SKU,90,"Azure Advisor helps to optimize and improve efficiency of the workload by identifying idle and under-utilized resources. It analyzes your configurations and usage telemetry and consolidates it into personalized, actionable recommendations to help you optimize your resources." -Cost Optimization,Delete or deallocate unused resources in test environments,https://azure.microsoft.com/en-us/solutions/dev-test/#overview,High,Deployment & Testing,Testing & Validation,90,Review you pre-production environment periodically and shutdown or remove unused resources. -Cost Optimization,Collect logs and metrics from Azure resources,https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-logs,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,90,In order to successfully maintain the application it's important to 'turn the lights on' and have clear visibility of important metrics both in real-time and historically. -Cost Optimization,Shut down VM instances not in use,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#shut-down-the-under-utilized-instances,High,Capacity & Service Availability Planning,Efficiency,90,Use the Start/stop VMs during off-hours a feature of virtual machines to minimize waste. -Cost Optimization,Consider the cost of data transfers and make sure cross-region peering is used efficiently,https://azure.microsoft.com/en-us/pricing/details/bandwidth/,High,Networking & Connectivity,Data flow,90,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -Cost Optimization,Use ACM or other cost management tools,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports,High,Health Modeling & Monitoring,Dashboarding,90,"In order to track spending an ACM tool can help with understanding how much is spent, where and when. This helps to make better decisions about how and if cost can be reduced." -Cost Optimization,Define a naming convention,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging,High,Governance,Standards,90,Using tags can help to manage resources and make it easier to find relevant items during operational procedures. -Cost Optimization,Consider reserved instances,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#reserved-vms,High,Application Design,Design,90,"Azure Reservations help you save money by committing to one-year or three-year plans for multiple products. Committing allows you to get a discount on the resources you use. Reservations can significantly reduce your resource costs by up to 72% from pay-as-you-go prices. " -Cost Optimization,Define and monitor targets for scale operations,https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-performance,High,Capacity & Service Availability Planning,Efficiency,90,Use Azure monitor to analyze the usage of the resources. -Cost Optimization,Design the workload to scale independently,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,High,Capacity & Service Availability Planning,Efficiency,90,"For certain application, capacity requirements may swing over time. Autoscaling policies allow for less error-prone operations and cost savings through robust automation. Choose smaller instances where workload is highly variable and scale out to get the desired level of performance, rather than up." -Cost Optimization,Configure auto-scale policies for your workload (both in and out),https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,High,Application Design,Application Composition,90,Deliberate selection of resources and sizing is important to maintain efficiency and optimal cost. -Cost Optimization,Understand the cost implications of multi-region deployment,https://docs.microsoft.com/azure/architecture/framework/cost/design-regions#traffic-across-billing-zones-and-regions,High,Application Design,Design,90,"Consider how important is the application to justify the cost of having resources cross zones and/or cross regions. For non-mission critical applications such as, developer or test, consider keeping the solution and its dependencies in a single region or single zone to leverage the advantages of choosing the lower-cost region." -Cost Optimization,Understand the operational capabilities of Azure services,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Medium,Application Design,Application Composition,50,"Operational capabilities, such as auto-scale and auto-heal for App Services, can reduce management overheads, support operational effectiveness and reduce cost." -Cost Optimization,Utilize the PaaS pay-as-you-go consumption model where relevant,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Operational Procedures,Operational Lifecycles,50,"To bring down cost the goal should be to get as many applications to only consume resources when they are used, this goes as an evolution from IaaS to PaaS to serverless where you only pay when a service I triggered. The PaaS and serverless might appear more expensive, but risk and other operational work is transferred to the cloud provider which should also be factored in as part of the cost (e.g. patching, monitoring, licenses)." -Cost Optimization,Leverage the hybrid use benefit,https://azure.microsoft.com/en-us/pricing/hybrid-benefit/,Medium,Governance,Licensing,50,Understanding your current spending on licenses can help you drive down cost in the cloud. A-HUB allows you to reuse licenses that you purchased for on-premises in Azure and via this drive down the cost as the license is already paid. -Cost Optimization,Assign a budget and spend limit to the workload,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert,Medium,Governance,Financial Management & Cost Models,50,For cost management it is recommended to have a budget even for the smallest services operated as that allows to track and understand the flow of the spend and also understand the impact of a smaller service in a bigger picture. -Cost Optimization,Establish a cost owner for each service used by the workload,https://azure.microsoft.com/en-us/blog/how-to-optimize-your-azure-workload-costs-2/,Medium,Governance,Financial Management & Cost Models,50,Every service should have a cost owner that is tracking and is responsible for cost. This drives responsibility and awareness on who owns the cost tracking. -Cost Optimization,Use cost forecasting for budget alignment,https://docs.microsoft.com/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal,Medium,Governance,Financial Management & Cost Models,50,In order to predict costs and trends it's recommended to use forecasting to be proactive for any spending that might be going up due to higher demand than anticipated. -Cost Optimization,Define end-date for each environment,https://azure.microsoft.com/en-us/services/cost-management/,Medium,Operational Procedures,Operational Lifecycles,50,If your workload or environment isn't needed then you should be able to decommission it. The same should occur if you are introducing a new service or new feature. -Cost Optimization,Understand how the budget is defined,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#revise-budgets,Medium,Governance,Culture & Dynamics,50,"It is important to have a clear understanding how an IT budget is defined. This is especially true for applications that are not built in-house, where IT budget has to be factored in as part of the delivery." -Cost Optimization,Review Azure Advisor recommendations periodically,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports#advisor-recommendations,Medium,Capacity & Service Availability Planning,Service SKU,50,"Your underutilized resources need to be reviewed often in order to be identified and dealt with accordingly, in addition to ensuring that your actionable recommendations are up-to-date and fully optimized. For example, Azure Advisor monitors your virtual machine (VM) usage for 7 days and then identifies low-utilization VMs." -Cost Optimization,Consider selective backups for VMs,https://docs.microsoft.com/azure/backup/selective-disk-backup-restore,Medium,Application Design,Design,50,"Azure Backup supports the use of the Selective Disks backup and restore functionally which allows you to back up a subset of data disks in a VM, which is an efficient and cost-effective way to backup your application." -Cost Optimization,Set up alerts for cost limits and thresholds,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-alert#respond-to-alerts,Medium,Health Modeling & Monitoring,Alerting,50,"This is to ensure that if any budget is close to threshold, the cost owner gets notified to take appropriate actions on the change." -Cost Optimization,Define clear responsibilities for alerts,https://docs.microsoft.com/azure/architecture/framework/cost/design-model#organization-structure,Medium,Health Modeling & Monitoring,Alerting,50,Ensure the correct people responsible for the application is alerted when there is any problem with the resource. -Cost Optimization,Understand cost implications of availability strategy,https://docs.microsoft.com/azure/architecture/framework/cost/tradeoffs,Medium,Application Design,Design,50,"As you design the workload, consider tradeoffs between cost optimization and other aspects of the design, such as security, scalability, resilience, and operability. Ask questions such as if the cost of high availability components exceeds the cost of the application downtime to the business and design your application accordingly." -Cost Optimization,Understand the cost implications of Availability Zones,https://azure.microsoft.com/en-us/global-infrastructure/availability-zones/,Medium,Application Design,Design,50,"Availability Zones can be used to optimize application availability within a region by providing datacenter level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. It is also important to note that Availability Zones may introduce performance and cost considerations for applications which are extremely 'chatty' across zones given the implied physical separation between each zone and inter-zone bandwidth charges. That also means that AZ can be considered to get higher Service Level Agreement (SLA) for lower cost. Be aware of pricing changes coming to Availability Zone bandwidth starting February 2021." -Cost Optimization,Choose appropriate region for workload deployments,https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist#architecture,Medium,Application Design,Design,50,"Check your egress and ingress cost, within regions and across regions. Only deploy to multiple regions if your service levels require it for either availability or geo-distribution." -Cost Optimization,Have ongoing conversation between app owner and business,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reviews,Medium,Governance,Culture & Dynamics,50,"Is what's delivered from IT and what the business is expecting from IT, mapped to the cost of the application?" -Cost Optimization,Map application dependencies,https://docs.microsoft.com/azure/azure-monitor/app/app-map?tabs=net,Medium,Application Design,Dependencies,50,"Examples of typical dependencies include platform dependencies outside the remit of the application, such as Azure Active Directory, Express Route, or a central NVA (Network Virtual Appliance), as well as application dependencies such as APIs which may be in-house or externally owned by a third-party. For cost it's important to understand the price for these services and how they are being charged, this makes it easier to understanding an all-up cost. For more details see cost models." -Cost Optimization,The entire end-to-end CI/CD deployment process should be understood,https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/,Medium,Deployment & Testing,Application Code Deployments,50," " -Cost Optimization,Define critical system flows,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-critical-system-flows,Medium,Application Design,Key Scenarios,50,"Understanding critical system flows is vital to assessing overall operational effectiveness, and should be used to inform a health model for the application. It can also tell if areas of the application are over or under-utilized and should be adjusted to better meet business needs and cost goals." -Cost Optimization,Consider Platform as a service (PaaS) options,https://docs.microsoft.com/azure/architecture/framework/cost/provision-compute#use-paas-as-an-alternative-to-buying-vms,Medium,Application Design,Design,50,"Consider modernizing your application to use PaaS. When you use the IaaS model, you do have final control over the VMs. It may appear to be a cheaper option at first, but when you add operational and maintenance costs, the cost increases. When you use the PaaS model, these extra costs are included in the pricing. In some cases, this means that PaaS services can be a cheaper than managing VMs on your own. " -Cost Optimization,Associate cost to the criticality of the business,https://docs.microsoft.com/azure/architecture/framework/cost/design-governance#enforce-resource-tagging,Medium,Governance,Culture & Dynamics,50,Applications that are less critical to the business could use a smaller budget. -Cost Optimization,Explore where technical delivery capabilities reside,https://docs.microsoft.com/azure/architecture/framework/cost/design-model#organization-structure,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Map the organization's needs to logical groupings offered by cloud services. This way the business leaders of the company get a clear view of the cloud services and how they're controlled. -Cost Optimization,Monitor utilization of compute resources,https://docs.microsoft.com/azure/azure-monitor/essentials/metrics-charts,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Use Azure monitor to analyze the usage of the resources. -Cost Optimization,Consider using reserved Premium disks,https://docs.microsoft.com/azure/virtual-machines/disks-reserved-capacity,Medium,Capacity & Service Availability Planning,Efficiency,50,"Azure Disk Storage reservations are available only for select Azure premium SSD SKUs. The SKU of a premium SSD determines the disk's size and performance. A disk reservation is made per disk SKU. As a result, the reservation consumption is based on the unit of the disk SKUs instead of the provided size. Make sure you track the usage in disk SKUs instead of provisioned or used disk capacity." -Cost Optimization,Consider using shared disks for suitable workloads,https://docs.microsoft.com/azure/virtual-machines/disks-shared,Medium,Capacity & Service Availability Planning,Efficiency,50,"Shared managed disks offer shared block storage that can be accessed from multiple VMs, these are exposed as logical unit numbers (LUNs). LUNs are then presented to an initiator (VM) from a target (disk). These LUNs look like direct-attached-storage (DAS) or a local drive to the VM." -Cost Optimization,Define a clear price model for individual services,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Capacity & Service Availability Planning,Efficiency,50,As part of driving a good behavior it's important that the consumer has understood why they are paying the price for a service and also that the cost is transparent and fair to the user of the service or else it can drive wrong behavior. -Cost Optimization,Consider using Service Endpoints and Private Link,https://docs.microsoft.com/azure/private-link/private-endpoint-overview,Medium,Security & Compliance,Network Security,50,"Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints from only authorized virtual networks, effectively mitigating data intrusion risks and associated impact to application availability. Service Endpoints provide service level access to a PaaS service, while Private Link provides direct access to a specific PaaS resource to mitigate data exfiltration risks (e.g. malicious admin scenarios)." -Cost Optimization,Consider B-series VMs,https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable,Medium,Capacity & Service Availability Planning,Efficiency,50,"The B-series provides you with the ability to purchase a VM size with baseline performance that can build up credits when it is using less than its baseline. These types of VMs are ideal for workloads that do not need the full performance of the CPU continuously, like web servers, proof of concepts, small databases and development build environments. " -Cost Optimization,Consider spot VMs,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-vm#spot-vms,Medium,Capacity & Service Availability Planning,Efficiency,50,"Spot VMs are ideal for workloads that can be interrupted, such as highly parallel batch processing jobs. These VMs take advantage of the surplus capacity in Azure at a lower cost. They're also well suited for experimental, development, and testing of large-scale solutions." -Cost Optimization,Pause AKS clusters,https://docs.microsoft.com/azure/aks/start-stop-cluster,Medium,Capacity & Service Availability Planning,Efficiency,50,"To optimize your costs when AKS workloads may not need to run continuously, you can completely turn off (stop) your cluster. This action will stop your control plane and agent nodes altogether, allowing you to save on all the compute costs, while maintaining all your objects and cluster state stored for when you start it again. " -Cost Optimization,Use App Service Premium (v3) plan where possible,https://docs.microsoft.com/azure/app-service/app-service-configure-premium-tier,Medium,Application Design,Application Composition,50,Opportunity to save costs with upgrade and apply reservations. -Cost Optimization,Consider additional DDoS protection,https://azure.microsoft.com/services/ddos-protection/,Medium,Networking & Connectivity,Endpoints,50," Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network." -Cost Optimization,Prefer Microsoft backbone for networking,https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/,Medium,Networking & Connectivity,Connectivity,50,Are you closer to your users or on-prem? If users are closer to the cloud you should use MSFT (i.e. egress traffic). MPLS is when another service provider gives you the line. -Cost Optimization,Understand cost implications of hub and spoke design,https://docs.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture,Medium,Networking & Connectivity,Data flow,50,Consider using a hub and spoke approach to save costs by using a managed service and removing the necessity of network virtual appliance. -Cost Optimization,Use data lifecycle policy,https://docs.microsoft.com/azure/storage/blobs/storage-lifecycle-management-concepts,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,"Azure storage offers different access tiers, allowing you to store blob object data in the most cost-effective manner. Available access tiers include: Hot (Optimized for storing data that is accessed frequently), Cool (Optimized for storing data that is infrequently accessed and stored for at least 30 days), and Archive (Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours)." -Cost Optimization,Use cost modeling to identify opportunities for cost reduction,https://docs.microsoft.com/azure/architecture/framework/cost/design-model,Medium,Governance,Financial Management & Cost Models,50,"Estimate and track costs, educate the employees about the cloud and various pricing models, have appropriate governance about expenditure." -Cost Optimization,Set up a disaster recovery strategy that splits the application components and data into defined groups,https://docs.microsoft.com/azure/backup/guidance-best-practices,Medium,Application Design,Design,50,"Exclude disk provides an efficient and cost-effective choice to selectively back up critical data. For example, back up only one disk when you don't want to back up the rest of the disks attached to a VM. This is also useful when you have multiple backup solutions. For example, when you back up your databases or data with a workload backup solution (SQL Server database in Azure VM backup) and you want to use Azure VM level backup for selected disks." -Cost Optimization,Be aware of cross-region data transfer costs,https://docs.microsoft.com/azure/architecture/framework/cost/provision-networking#peering,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -Cost Optimization,Use developer SKUs for dev/test purposes,https://azure.microsoft.com/en-us/pricing/dev-test/,Low,Deployment & Testing,Testing & Validation,10,"Special SKUs and subscription offers for development and testing purposes can save costs, but have to be used properly. Dev SKUs are not meant for production deployments." -Cost Optimization,Consider the ratio of non-production to production environments,https://docs.microsoft.com/azure/architecture/framework/cost/design-resources#subscription-and-offer-type,Low,Deployment & Testing,Build Environments,10,Consider using appropriate subscriptions types for Dev workloads and ensure production workloads are deployed in the correct subscription. -Cost Optimization,Consider multi-tenant or microservices scenarios when running multiple applications,https://azure.microsoft.com/en-us/solutions/microservice-applications/,Low,Capacity & Service Availability Planning,Efficiency,10,"When running multiple applications (typically in multi-tenant or microservices scenarios) density can be increased by deploying them on shared infrastructure and utilizing it more. For example: Containerization and moving to Kubernetes (Azure Kubernetes Services) enables pod-based deployment which can utilize underlying nodes efficiently. Similar approach can be taken with App Service Plans. To prevent the 'noisy neighbor' situation, proper monitoring must be in place and performance analysis must be done (if possible)." -Cost Optimization,Understand cloud-native features and implement where possible,https://azure.microsoft.com/en-us/overview/cloudnative/,Low,Application Design,Design,10,Understanding if the application is cloud-native or not provides a very useful high-level indication about potential technical debt for operability and cost efficiency. -Cost Optimization,Develop a plan to modernize the workload,https://docs.microsoft.com/dotnet/architecture/serverless/,Low,Application Design,Design,10,"Is there a plan to change the execution model to Serverless? To move as far as you can up the stack towards cloud-native. When the workload is serverless, it's charged only for actual use, whereas with traditional infrastructure there are many underlying things that need to be factored into the price. By applying an end date to the application it encourages you to discuss the goal of re-designing the application to make even better use of the cloud. It might be more expensive from an Azure cost point of view but factoring in other things like licenses, people, time to deploy can drive down cost." -Cost Optimization,Be aware of cost implications of Web Application Firewall,https://azure.microsoft.com/pricing/details/web-application-firewall/,Low,Networking & Connectivity,Endpoints,10,"There are cost implications to using Front Door with Web Application Firewall enabled, but it can save costs compared to using a 3rd party solution. Front Door has a good latency, because it uses unicast. If only 1 or 2 regions are required, Application Gateway can be used. There are cost implications of having a WAF - you should check pricing of hours and GB/s." -Cost Optimization,Consider VM Zone to Zone DR,https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery,Low,Application Design,Design,10,Site Recovery does not move or store customer data out of the region in which it is deployed when the customer is using Zone to Zone Disaster Recovery. Note that the egress charges that you would see in zone to zone disaster recovery would be lower than region to region disaster recovery. -Cost Optimization,Be aware of extra cost when tunnelling traffic through on-premises,https://docs.microsoft.com/azure/firewall/forced-tunneling,Low,Networking & Connectivity,Data flow,10,Consider the extra cost related to data ingress and egress if your application requires to use forced tunneling. -Cost Optimization,Consider shared platforms,https://docs.microsoft.com/azure/architecture/framework/cost/design-paas,Low,Application Design,Design,10," " -Operational Excellence,Use Managed Identities for authentication to other Azure platform services,https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview,High,Operational Procedures,Configuration & Secrets Management,70,Use Managed Identities for authentication to other Azure platform services -Operational Excellence,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/architecture/framework/security/critical-impact-accounts#no-standing-access--just-in-time-privileges,High,Operational Model & DevOps,Roles & Responsibilities,70,Implement just-in-time privileged access management -Operational Excellence,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#secrets,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Operational Excellence,Test your failover and failback process,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#operational-readiness-testing,High,Operational Procedures,Recovery & Failover,70,Test your failover and failback process -Operational Excellence,Implement procedures for key/secret rotation,https://docs.microsoft.com/azure/key-vault/secrets/tutorial-rotation-dual,High,Operational Procedures,Configuration & Secrets Management,70,Implement procedures for key/secret rotation -Operational Excellence,Make sure that failed tests at least temporarily block deployments,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-ci#failed-tests,High,Deployment & Testing,Testing & Validation,70,Make sure that failed tests at least temporarily block deployments -Operational Excellence,Monitor the expiry of SSL certificates,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#SSL,High,Operational Procedures,Configuration & Secrets Management,70,Monitor the expiry of SSL certificates -Operational Excellence,Implement automated deployment process with rollback/roll-forward capabilities,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-rollback,Medium,Deployment & Testing,Application Code Deployments,60,Implement automated deployment process with rollback/roll-forward capabilities -Operational Excellence,Configure appropriate log levels for environments,https://docs.microsoft.com/aspnet/core/fundamentals/logging/?view=aspnetcore-5.0,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Configure appropriate log levels for environments -Operational Excellence,Implement strategies for resiliency and self-healing,https://docs.microsoft.com/azure/architecture/framework/resiliency/app-design,Medium,Application Design,Design,50,Implement strategies for resiliency and self-healing -Operational Excellence,Understand the impact of dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,Medium,Application Design,Dependencies,50,Understand the impact of dependencies -Operational Excellence,"Define, monitor, and measure availability targets",https://docs.microsoft.com/azure/architecture/best-practices/monitoring#requirements-for-sla-monitoring,Medium,Application Design,Targets & Non-Functional Requirements,50,"Define, monitor, and measure availability targets" -Operational Excellence,Collect application level logs,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#application-monitoring,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Collect application level logs -Operational Excellence,Instrument your workload,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#instrumenting-an-application,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Instrument your workload -Operational Excellence,Setup black-box monitoring to monitor the platform and customer experience,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#white-box-and-black-box-monitoring,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Setup black-box monitoring to monitor the platform and customer experience -Operational Excellence,Analyze health data for your workload,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#analyzing-health-data,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Analyze health data for your workload -Operational Excellence,Correlate application log events,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate application log events -Operational Excellence,Codify the process to provision and de-provision capacity,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity#automated-scale-operations,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Codify the process to provision and de-provision capacity -Operational Excellence,Use a log aggregation technology,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#collecting-and-storing-data,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Use a log aggregation technology -Operational Excellence,Collect Azure activity logs in your aggregation tool,https://docs.microsoft.com/azure/azure-monitor/platform/activity-log,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Collect Azure activity logs in your aggregation tool -Operational Excellence,Gather logs in a structured format,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#information-to-include-in-the-instrumentation-data,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Gather logs in a structured format -Operational Excellence,Correlate resource-level logs,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Correlate resource-level logs -Operational Excellence,Use the health model to classify failover situations,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#failover-classification,Medium,Operational Procedures,Recovery & Failover,50,Use the health model to classify failover situations -Operational Excellence,Document critical manual processes,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#manual-responses,Medium,Operational Procedures,Recovery & Failover,50,Document critical manual processes -Operational Excellence,Automate recovery procedures,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#recovery-automation,Medium,Operational Procedures,Recovery & Failover,50,Automate recovery procedures -Operational Excellence,Enforce resource level monitoring,https://docs.microsoft.com/azure/azure-monitor/deploy-scale,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Enforce resource level monitoring -Operational Excellence,Create Azure Resource Health alerts,https://docs.microsoft.com/azure/service-health/resource-health-alert-monitor-guide,Medium,Health Modeling & Monitoring,Alerting,50,Create Azure Resource Health alerts -Operational Excellence,Enable Service Health alerts on your workload,https://docs.microsoft.com/azure/service-health/overview,Medium,Health Modeling & Monitoring,Alerting,50,Enable Service Health alerts on your workload -Operational Excellence,Integrate Alerting into an existing systems,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-integrations,Medium,Health Modeling & Monitoring,Alerting,50,Integrate Alerting into an existing systems -Operational Excellence,Send reliable alert notifications,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-response,Medium,Health Modeling & Monitoring,Alerting,50,Send reliable alert notifications -Operational Excellence,"Define standards, policies and best practices as code",https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure,Medium,Governance,Standards,50,"Define standards, policies and best practices as code" -Operational Excellence,Prioritize operational events,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-prioritization,Medium,Health Modeling & Monitoring,Alerting,50,Prioritize operational events -Operational Excellence,Define a process for alert reaction,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-owners,Medium,Health Modeling & Monitoring,Alerting,50,Define a process for alert reaction -Operational Excellence,Use automated alerting solution,https://docs.microsoft.com/azure/architecture/framework/devops/alerts,Medium,Health Modeling & Monitoring,Alerting,50,Use automated alerting solution -Operational Excellence,Tailor dashboards to your needs,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-dashboarding,Medium,Health Modeling & Monitoring,Dashboarding,50,Tailor dashboards to your needs -Operational Excellence,Implement tools to visualize application health,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#visualization-by-using-dashboards,Medium,Health Modeling & Monitoring,Dashboarding,50,Implement tools to visualize application health -Operational Excellence,Analyze long-term trends to predict operational issues before they occur,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Analyze long-term trends to predict operational issues before they occur -Operational Excellence,Implement a health model,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#health-monitoring,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Implement a health model -Operational Excellence,Correlate logs and metrics for critical internal dependencies,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate logs and metrics for critical internal dependencies -Operational Excellence,Instrument the workload to monitor customer experience,https://docs.microsoft.com/azure/azure-monitor/app/web-monitor-performance,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Instrument the workload to monitor customer experience -Operational Excellence,Make sure that operational shortcomings and failures are analyzed and used to improve and refine operational procedures,https://docs.microsoft.com/azure/architecture/framework/devops/principles#lifecycles,Medium,Operational Procedures,Operational Lifecycles,50,Make sure that operational shortcomings and failures are analyzed and used to improve and refine operational procedures -Operational Excellence,Define a hotfix process in case normal deployment procedures needs to be bypassed,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#hotfix-process,Medium,Deployment & Testing,Application Code Deployments,50,Define a hotfix process in case normal deployment procedures needs to be bypassed -Operational Excellence,Document all portions of the deployment that require manual intervention,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#manual-deployment,Medium,Deployment & Testing,Application Code Deployments,50,Document all portions of the deployment that require manual intervention -Operational Excellence,Reduce the need for manual operations,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#automate-as-many-processes-as-possible,Medium,Deployment & Testing,Application Code Deployments,50,Reduce the need for manual operations -Operational Excellence,Deploy your workload in an active-passive configuration,https://docs.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager#manual-failover-using-azure-dns,Medium,Application Design,Design,50,Deploy your workload in an active-passive configuration -Operational Excellence,Use shared application and data services where appropriate,https://docs.microsoft.com/azure/cloud-adoption-framework/manage/considerations/platform#establish-a-service-catalog,Medium,Application Design,Application Composition,50,Use shared application and data services where appropriate -Operational Excellence,Use deployment strategies to deploy your workloads,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#stage-your-workloads,Medium,Deployment & Testing,Application Code Deployments,50,Use deployment strategies to deploy your workloads -Operational Excellence,Make sure that configuration settings can be changed or modified without rebuilding or redeploying the application,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#config-change,Medium,Operational Procedures,Configuration & Secrets Management,50,Make sure that configuration settings can be changed or modified without rebuilding or redeploying the application -Operational Excellence,Use tools to govern services and configurations,https://docs.microsoft.com/azure/azure-monitor/deploy-scale,Medium,Governance,Standards,50,Use tools to govern services and configurations -Operational Excellence,Enable Key Vault Soft-Delete,https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview,Medium,Operational Procedures,Configuration & Secrets Management,50,Enable Key Vault Soft-Delete -Operational Excellence,Implement release gates,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#implement-deployment-security-measures,Medium,Deployment & Testing,Build Environments,50,Implement release gates -Operational Excellence,"Define all infrastructure components as code ",https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,"Define all infrastructure components as code " -Operational Excellence,Compare regional capacity requirements to availability,https://azure.microsoft.com/en-us/global-infrastructure/services/,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Compare regional capacity requirements to availability -Operational Excellence,Monitor critical external dependencies,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#monitor-external-dependencies,Medium,Health Modeling & Monitoring,Dependencies,50,Monitor critical external dependencies -Operational Excellence,Make sure that specific methodologies are used to structure the deployment and operations process,https://docs.microsoft.com/azure/architecture/framework/devops/principles#methodologies,Medium,Operational Model & DevOps,General,50,Make sure that specific methodologies are used to structure the deployment and operations process -Operational Excellence,Implement a process between dev and ops to resolve production issues,https://docs.microsoft.com/azure/architecture/framework/devops/principles#roles,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Implement a process between dev and ops to resolve production issues -Operational Excellence,Perform business continuity drills,https://docs.microsoft.com/azure/architecture/framework/devops/testing#business-continuity-drills,Medium,Deployment & Testing,Testing & Validation,50,Perform business continuity drills -Operational Excellence,Test and validate manual operation runbooks,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#automated-recovery-testing,Medium,Operational Procedures,Recovery & Failover,50,Test and validate manual operation runbooks -Operational Excellence,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#key-points,Medium,Operational Procedures,Configuration & Secrets Management,50,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault -Operational Excellence,Understand the impact of changes in application health and capacity,https://docs.microsoft.com/azure/architecture/framework/scalability/capacity#application-health-and-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Understand the impact of changes in application health and capacity -Operational Excellence,Perform smoke tests,https://docs.microsoft.com/azure/architecture/framework/devops/testing#smoke-testing,Medium,Deployment & Testing,Testing & Validation,50,Perform smoke tests -Operational Excellence,Track and address configuration drift,https://docs.microsoft.com/azure/architecture/framework/devops/automation-configuration#configuration-management,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Track and address configuration drift -Operational Excellence,Perform security and penetration testing regularly,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,Medium,Deployment & Testing,Testing & Validation,50,Perform security and penetration testing regularly -Operational Excellence,Make sure that critical test environments have 1:1 parity with productions,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-cd#test-environments,Medium,Deployment & Testing,Build Environments,50,Make sure that critical test environments have 1:1 parity with productions -Operational Excellence,Automate infrastructure deployment process,https://docs.microsoft.com/azure/architecture/framework/devops/automation-configuration,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Automate infrastructure deployment process -Operational Excellence,"Test for performance, scalability, and resiliency",https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-ci#continuous-integration,Medium,Deployment & Testing,Testing & Validation,50,"Test for performance, scalability, and resiliency" -Operational Excellence,Perform some tests in production,https://docs.microsoft.com/azure/devops/learn/devops-at-microsoft/shift-right-test-production,Medium,Deployment & Testing,Testing & Validation,50,Perform some tests in production -Operational Excellence,Perform integration testing,https://docs.microsoft.com/azure/architecture/framework/devops/testing#integration-testing,Medium,Deployment & Testing,Testing & Validation,50,Perform integration testing -Operational Excellence,Use a systematic approach in your development and release process,https://azure.microsoft.com/en-us/overview/what-is-devops/,Medium,Deployment & Testing,Application Code Deployments,50,Use a systematic approach in your development and release process -Operational Excellence,Make sure that all tests are automated and carried out periodically,https://docs.microsoft.com/azure/architecture/framework/devops/release-engineering-testing#automated-testing,Medium,Deployment & Testing,Testing & Validation,50,Make sure that all tests are automated and carried out periodically -Operational Excellence,Deploy all infrastructure through an infrastructure-as-code process,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#why-deploy-infrastructure-with-code,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Deploy all infrastructure through an infrastructure-as-code process -Operational Excellence,Use Azure Resource Tags to enrich resources with operational meta-data,https://docs.microsoft.com/azure/architecture/framework/devops/principles#metadata,Low,Governance,Standards,30,Use Azure Resource Tags to enrich resources with operational meta-data -Operational Excellence,Use Platform as a Service offerings where appropriate,https://docs.microsoft.com/azure/architecture/guide/design-principles/managed-services,Low,Application Design,Design,30,Use Platform as a Service offerings where appropriate -Operational Excellence,Use feature flags,https://docs.microsoft.com/azure/devops/migrate/phase-features-with-feature-flags,Low,Deployment & Testing,Build Environments,30,Use feature flags -Operational Excellence,Take advantage of multiple subscriptions where appropriate,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups,Low,Application Design,Design,30,Take advantage of multiple subscriptions where appropriate -Operational Excellence,Identify if there are components with more relaxed performance requirements,https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics#identify-less-critical-components,Low,Application Design,Key Scenarios,20,Identify if there are components with more relaxed performance requirements -Operational Excellence,Monitor for new features and updates that can improve your workload,https://azure.microsoft.com/updates/,Low,Application Design,Application Composition,20,Monitor for new features and updates that can improve your workload -Performance Efficiency,Determine and document what acceptable performance is,https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency,High,Application Design,Targets & Non-Functional Requirements,70,Determine and document what acceptable performance is -Performance Efficiency,The health model can determine if a fault is transient,https://docs.microsoft.com/azure/architecture/best-practices/transient-faults,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,59,The health model can determine if a fault is transient -Performance Efficiency,Choose the right database to match usage,https://docs.microsoft.com/azure/architecture/framework/Scalability/app-design#choosing-the-right-database,Medium,Application Design,Design,50,Choose the right database to match usage -Performance Efficiency,Use microservices when possible,https://docs.microsoft.com/azure/architecture/framework/Scalability/app-design#microservices,Medium,Application Design,Design,50,Use microservices when possible -Performance Efficiency,Identify sensible non-functional requirements,https://docs.microsoft.com/azure/architecture/performance/#general-best-practices,Medium,Application Design,Targets & Non-Functional Requirements,50,Identify sensible non-functional requirements -Performance Efficiency,Monitor how long it takes to scale against your targets,https://docs.microsoft.com,Medium,Application Performance Management,Elasticity,50,Monitor how long it takes to scale against your targets -Performance Efficiency,Leverage autoscaling to scale in and out as load varies,https://docs.microsoft.com/azure/architecture/best-practices/auto-scaling,Medium,Application Performance Management,Elasticity,50,Leverage autoscaling to scale in and out as load varies -Performance Efficiency,Choose metrics appropriately for your scaling policies,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#choosing-metrics-for-scaling-policies,Medium,Application Performance Management,Elasticity,50,Choose metrics appropriately for your scaling policies -Performance Efficiency,Preemptively scale based on trends,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#preemptively-scaling-based-on-trends,Medium,Application Performance Management,Elasticity,50,Preemptively scale based on trends -Performance Efficiency,Know how long it takes to respond to scaling events,https://docs.microsoft.com/azure/architecture/framework/Scalability/load-testing#responding-quickly-to-additional-load,Medium,Application Performance Management,Elasticity,50,Know how long it takes to respond to scaling events -Performance Efficiency,Build a capacity model for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Build a capacity model for your workload -Performance Efficiency,Optimize your database queries,https://docs.microsoft.com/azure/architecture/performance/backend-services#step-4-optimize-the-query,Medium,Performance Testing,Benchmarking,50,Optimize your database queries -Performance Efficiency,Learn how to use network capturing tools,https://docs.microsoft.com/azure/virtual-network/virtual-network-tap-overview#virtual-network-tap-partner-solutions,Medium,Performance Testing,Troubleshooting,50,Learn how to use network capturing tools -Performance Efficiency,Optimize your resource choices,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#choosing-the-right-resources,Medium,Capacity & Service Availability Planning,Service SKU,50,Optimize your resource choices -Performance Efficiency,Offload SSL traffic by using the gateway offloading pattern,https://docs.microsoft.com/azure/architecture/patterns/gateway-offloading,Medium,Networking & Connectivity,Endpoints,50,Offload SSL traffic by using the gateway offloading pattern -Performance Efficiency,Understand your performance bottlenecks around latency and throughput,https://docs.microsoft.com/azure/architecture/framework/Scalability/performance#performance-bottlenecks,Medium,Application Performance Management,Data Latency and Throughput,50,Understand your performance bottlenecks around latency and throughput -Performance Efficiency,Test and validate your defined latency and throughput targets,https://docs.microsoft.com/azure/networking/azure-network-latency,Medium,Application Performance Management,Data Latency and Throughput,50,Test and validate your defined latency and throughput targets -Performance Efficiency,Consider using proximity placement groups for components that are very sensitive to network latency,https://docs.microsoft.com/azure/virtual-machines/windows/co-location#proximity-placement-groups,Medium,Application Performance Management,Data Latency and Throughput,50,Consider using proximity placement groups for components that are very sensitive to network latency -Performance Efficiency,Acquire dedicated networking resources as required,https://docs.microsoft.com/azure/expressroute/expressroute-introduction,Medium,Application Performance Management,Network Throughput and Latency,50,Acquire dedicated networking resources as required -Performance Efficiency,Design for eventual consistency,https://docs.microsoft.com/azure/cosmos-db/consistency-levels,Medium,Data Platform Availability,Consistency,50,Design for eventual consistency -Performance Efficiency,Evaluate service limits and quotas to ensure they can support future growth,https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Evaluate service limits and quotas to ensure they can support future growth -Performance Efficiency,Deploy to paired regions,https://docs.microsoft.com/azure/best-practices-availability-paired-regions,Medium,Application Design,Design,50,Deploy to paired regions -Performance Efficiency,Plan for the growth of your data over time,https://docs.microsoft.com/azure/architecture/framework/scalability/design-scale#plan-for-growth,Medium,Application Performance Management,Data Size/Growth,50,Plan for the growth of your data over time -Performance Efficiency,Monitor capacity utilization to forecast future growth,https://docs.microsoft.com/azure/architecture/framework/scalability/design-capacity#use-metrics-to-fine-tune-scaling,Medium,Capacity & Service Availability Planning,Scalability & Capacity Model,50,Monitor capacity utilization to forecast future growth -Performance Efficiency,Identify human and environmental resources needed to create performance tests,https://docs.microsoft.com/azure/architecture/framework/scalability/tradeoffs#performance-efficiency-vs-operational-excellence,Medium,Performance Testing,Tools & Planning,50,Identify human and environmental resources needed to create performance tests -Performance Efficiency,Use appropriate performance testing tools,https://docs.microsoft.com/azure/architecture/framework/scalability/performance-test,Medium,Performance Testing,Tools & Planning,50,Use appropriate performance testing tools -Performance Efficiency,Define a testing strategy,https://docs.microsoft.com/azure/architecture/framework/scalability/test-checklist#performance-testing,Medium,Deployment & Testing,Testing & Validation,50,Define a testing strategy -Performance Efficiency,Identify baseline performance targets and goals,https://docs.microsoft.com/azure/architecture/framework/scalability/test-tools#identify-baselines-and-goals-for-performance,Medium,Application Design,Targets & Non-Functional Requirements,50,Identify baseline performance targets and goals -Performance Efficiency,Aggregate application and resource logs,https://docs.microsoft.com/azure/azure-monitor/logs/cross-workspace-query,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Aggregate application and resource logs -Performance Efficiency,Use critical system flows in the health model,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#application-logs,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Use critical system flows in the health model -Performance Efficiency,Configure retention times for logs and metrics,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Configure retention times for logs and metrics -Performance Efficiency,Analyze long-term trends to predict performance issues,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#data-interpretation--health-modeling,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Analyze long-term trends to predict performance issues -Performance Efficiency,Use application profiling tools,https://docs.microsoft.com/visualstudio/profiling/profiling-feature-tour?view=vs-2019,Medium,Performance Testing,Troubleshooting,50,Use application profiling tools -Performance Efficiency,Track how your resources scale,https://docs.microsoft.com/azure/architecture/framework/Scalability/monitoring#how-do-azure-service-auto-scale,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Track how your resources scale -Performance Efficiency,Monitor the components required to serve a single request,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#instrumenting-an-application,Medium,Performance Testing,Load Capacity,50,Monitor the components required to serve a single request -Performance Efficiency,Determine the acceptable operational margin between peak utilization and maximum load,https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-performance,Medium,Performance Testing,Load Capacity,50,Determine the acceptable operational margin between peak utilization and maximum load -Performance Efficiency,Determine appropriate metrics for your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#metered-metrics-monitoring,Medium,Performance Testing,Load Capacity,50,Determine appropriate metrics for your workload -Performance Efficiency,Collect application logs from all environments with a tool like Azure Application Insights,https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Collect application logs from all environments with a tool like Azure Application Insights -Performance Efficiency,Capture logs in a structured format,https://docs.microsoft.com/azure/architecture/example-scenario/logging/unified-logging,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Capture logs in a structured format -Performance Efficiency,Correlate events across all tiers of your workload,https://docs.microsoft.com/azure/architecture/framework/scalability/monitor#application-level-monitoring,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate events across all tiers of your workload -Performance Efficiency,Develop a troubleshooting guide for database performance problems,https://docs.microsoft.com/azure/azure-sql/database/automatic-tuning-overview,Medium,Performance Testing,Troubleshooting,50,Develop a troubleshooting guide for database performance problems -Performance Efficiency,Develop a troubleshooting guide for high CPU or memory issues,https://docs.microsoft.com/troubleshoot/azure/virtual-machines/troubleshoot-high-cpu-issues-azure-windows-vm,Medium,Performance Testing,Troubleshooting,50,Develop a troubleshooting guide for high CPU or memory issues -Performance Efficiency,Determine how to isolate increased response times,https://docs.microsoft.com/azure/azure-monitor/app/distributed-tracing,Medium,Performance Testing,Troubleshooting,50,Determine how to isolate increased response times -Performance Efficiency,Have an overall monitoring strategy for scalability,https://docs.microsoft.com/azure/architecture/framework/Scalability/monitoring#,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Have an overall monitoring strategy for scalability -Performance Efficiency,"Plan your growth, then choose regions that will support those plans",https://azure.microsoft.com/global-infrastructure/services/,Medium,Application Design,Design,50,"Plan your growth, then choose regions that will support those plans" -Performance Efficiency,Use a Content Delivery Networks (CDN),https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#content-delivery-networks-(cdn),Low,Networking & Connectivity,Endpoints,30,Use a Content Delivery Networks (CDN) -Performance Efficiency,Establish targets for database performance,https://docs.microsoft.com/sql/relational-databases/performance/display-an-actual-execution-plan,Low,Application Design,Targets & Non-Functional Requirements,30,Establish targets for database performance -Performance Efficiency,Have a large scale event management strategy in place,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#large-scale-event-management,Low,Capacity & Service Availability Planning,Scalability & Capacity Model,30,Have a large scale event management strategy in place -Performance Efficiency,Implement database partitioning,https://docs.microsoft.com/azure/architecture/framework/scalability/optimize-partition#strategies-for-data-partitioning,Low,Application Design,Design,30,Implement database partitioning ------------,,,,, -,,,,, -Category,Question,Answers,Selected Answer,Note -WAF Configuration,What workload type do you want to evaluate?,Core Well-Architected Review,Core Well-Architected Review,, -WAF Configuration,What workload type do you want to evaluate?,Azure Machine Learning (Preview),,, -WAF Configuration,What workload type do you want to evaluate?,Data Services,,, -WAF Configuration,Which pillars do you want to evaluate?,Reliability,Reliability,, -WAF Configuration,Which pillars do you want to evaluate?,Security,Security,, -WAF Configuration,Which pillars do you want to evaluate?,Cost,Cost,, -WAF Configuration,Which pillars do you want to evaluate?,Operational Excellence,Operational Excellence,, -WAF Configuration,Which pillars do you want to evaluate?,Performance,Performance,, -Reliability,What reliability targets and metrics have you defined for your application?,Recovery targets to identify how long the workload can be unavailable (Recovery Time Objective) and how much data is acceptable to lose during a disaster (Recovery Point Objective).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability metrics to measure and monitor availability such as Mean Time To Recover (MTTR) and Mean Time Between Failure (MTBF).,,, -Reliability,What reliability targets and metrics have you defined for your application?,Composite SLA for the workload derived using the Azure SLAs for all relevant resources.,,, -Reliability,What reliability targets and metrics have you defined for your application?,SLAs for all internal and external dependencies.,,, -Reliability,What reliability targets and metrics have you defined for your application?,Independent availability and recovery targets for critical application subsystems and scenarios.,,, -Reliability,What reliability targets and metrics have you defined for your application?,None of the above.,None of the above.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across multiple regions.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Removed all single points of failure by running multiple instances of application components.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across Availability Zones within a region.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Performed Failure Mode Analysis (FMA) to identify fault-points and fault-modes.,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for component level faults to minimize application downtime.,Planned for component level faults to minimize application downtime.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for dependency failures to minimize application downtime.,Planned for dependency failures to minimize application downtime.,, -Reliability,How have you ensured that your application architecture is resilient to failures?,None of the above.,None of the above.,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,"Built a capacity model for the application ",,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Planned for expected usage patterns.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Azure service availability in required regions.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Availability Zones are available in required regions.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated required capacity is within Azure service scale limits and quotas.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated all APIs/SDKs against target run-times and languages for required functionality.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Aligned with Azure roadmaps for required preview services and capabilities.,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,None of the above.,None of the above.,, -Reliability,How are you handling disaster recovery for this workload?,Application is available across multiple regions in an active-active configuration.,,, -Reliability,How are you handling disaster recovery for this workload?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,, -Reliability,How are you handling disaster recovery for this workload?,Traffic is routable to the application in the case of a regional failure.,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a backup strategy in alignment with recovery targets.,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,, -Reliability,How are you handling disaster recovery for this workload?,Failover and failback steps and processes are automated.,,, -Reliability,How are you handling disaster recovery for this workload?,Successfully tested and validated the failover and failback approach at least once.,,, -Reliability,How are you handling disaster recovery for this workload?,Decomposed the application into distinct subsystems with independent disaster recovery strategies.,,, -Reliability,How are you handling disaster recovery for this workload?,Network connectivity redundancy for on premise data/application sources.,,, -Reliability,How are you handling disaster recovery for this workload?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application processes are stateless.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Session state is non-sticky and externalized to a data store.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application configuration is treated as code and deployed with the application.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform services are running in a highly available configuration/SKU.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across Availability Zones or Availability Sets.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Leveraged platform services are Availability Zone aware.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across multiple active regions.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Load balancing is implemented to distribute traffic across multiple nodes.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Health probes are implemented to check the health of application components and compound application health.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Queuing and reliable messaging patterns are used to integrate application tiers.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Client traffic can be routed to the application in the case of region/zone/network outages.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Procedures to scale out application platform components are automated.,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data types are categorized by data consistency requirements.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data platform services are running in a highly available configuration/SKU.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across multiple regions.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across Availability Zones.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is backed-up on zone/geo-redundant storage.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Active geo-replication is used for data platform components such as storage and databases.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Application traffic can be routed to data stores in the case of region/zone/network outages.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Read operations are segregated from update operations.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Load balancer health probes assess data platform components.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been defined to ensure consistent application state when data is corrupted or deleted.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been validated and tested to ensure consistent application state when data is corrupted or deleted.,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,How does your application logic handle exceptions and errors?,Have a method to handle faults that might take a variable amount of time to recover from.,,, -Reliability,How does your application logic handle exceptions and errors?,Request timeouts are configured to manage inter-component calls.,,, -Reliability,How does your application logic handle exceptions and errors?,"Retry logic is implemented to handle transient failures, with appropriate back-off strategies to avoid cascading failures.",,, -Reliability,How does your application logic handle exceptions and errors?,The application is instrumented with semantic logs and metrics.,,, -Reliability,How does your application logic handle exceptions and errors?,None of the above.,None of the above.,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,All single points of failure have been eliminated from application communication flows.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Health probes are configured for Azure Load Balancer(s) to assess application traffic flows and compound health.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Azure Load Balancer Standard or Zone redundant application gateways are used to load balance traffic across Availability Zones.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Redundant connections from different locations are used for cross-premises connectivity (ExpressRoute or VPN).,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,A failure path has been simulated for cross-premises connectivity.,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Zone redundant gateways are used for cross-premises connectivity (ExpressRoute or VPN).,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,"Network traffic is monitored, and a response plan is in place to address network outages.",,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,None of the above.,None of the above.,, -Reliability,What reliability allowances for scalability and performance have you made?,The application has dedicated cross-premises bandwidth.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Components with sensitive latency requirements are collocated.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Gateways (ExpressRoute or VPN) have been sized according to expected cross-premises network throughput.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Expected throughput passing through security/network appliances has been tested and autoscaling is configured based on throughput requirements.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling has been tested and the time to scale in/out has been measured.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Tested and validated defined latency and defined throughput targets per scenario and component.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Operational procedures are defined in case data sizes exceed limits.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Validated that long-running TCP connections are not required for the workload.,,, -Reliability,What reliability allowances for scalability and performance have you made?,Throttling is implemented to govern inbound application calls and inter-component calls.,,, -Reliability,What reliability allowances for scalability and performance have you made?,None of the above.,None of the above.,, -Reliability,What reliability allowances for security have you made?,The identity provider (AAD/ADFS/AD/Other) is highly available and aligns with application availability and recovery targets.,,, -Reliability,What reliability allowances for security have you made?,"All external application endpoints are secured? i.e. Firewall, WAF, DDoS Protection Standard Plan, etc.",,, -Reliability,What reliability allowances for security have you made?,Communication to Azure PaaS services secured using Virtual Network Service Endpoints or Private Link.,,, -Reliability,What reliability allowances for security have you made?,Keys and secrets are backed-up to geo-redundant storage.,,, -Reliability,What reliability allowances for security have you made?,The process for key rotation is automated and tested,,, -Reliability,What reliability allowances for security have you made?,Emergency access break glass accounts have been tested and secured for recovering from Identity provider failure scenarios.,,, -Reliability,What reliability allowances for security have you made?,None of the above.,None of the above.,, -Reliability,What reliability allowances for operations have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,, -Reliability,What reliability allowances for operations have you made?,Application deployments can be rolled-back and rolled-forward through automated deployment pipelines.,,, -Reliability,What reliability allowances for operations have you made?,The lifecycle of the application is decoupled from its dependencies.,,, -Reliability,What reliability allowances for operations have you made?,The time it takes to deploy an entire production environment is tested and validated.,,, -Reliability,What reliability allowances for operations have you made?,None of the above.,None of the above.,, -Reliability,How do you test the application to ensure it is fault tolerant?,The application is tested against critical Non-Functional requirements for performance.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Load Testing is conducted with expected peak volumes to test scalability and performance under load.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Chaos Testing is performed by injecting faults.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Tests are automated and carried out periodically or on-demand.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Critical test environments have 1:1 parity with the production environment.,,, -Reliability,How do you test the application to ensure it is fault tolerant?,None of the above.,None of the above.,, -Reliability,How do you monitor and measure application health?,The application is instrumented with semantic logs and metrics.,,, -Reliability,How do you monitor and measure application health?,Application logs are correlated across components.,,, -Reliability,How do you monitor and measure application health?,All components are monitored and correlated with application telemetry.,,, -Reliability,How do you monitor and measure application health?,"Key metrics, thresholds, and indicators are defined and captured.",,, -Reliability,How do you monitor and measure application health?,"A health model has been defined based on performance, availability, and recovery targets and is represented through monitoring dashboard and alerts.",,, -Reliability,How do you monitor and measure application health?,Azure Service Health events are used to alert on applicable Service level events.,,, -Reliability,How do you monitor and measure application health?,Azure Resource Health events are used to alert on resource health events.,,, -Reliability,How do you monitor and measure application health?,Monitor long-running workflows for failures.,,, -Reliability,How do you monitor and measure application health?,None of the above.,None of the above.,, -Security,Have you done a threat analysis of your workload?,"Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.",,, -Security,Have you done a threat analysis of your workload?,"There's a process to track, triage and address security threats in the application development cycle.",,, -Security,Have you done a threat analysis of your workload?,Timelines and processess are established to deploy mitigations (security fixes) for identified threats.,,, -Security,Have you done a threat analysis of your workload?,Security requirements are defined for this workload.,,, -Security,Have you done a threat analysis of your workload?,Threat protection was addressed for this workload.,,, -Security,Have you done a threat analysis of your workload?,"Security posture was evaluated with standard benchmarks (CIS Control Framework, MITRE framework etc.).",,, -Security,Have you done a threat analysis of your workload?,"Business critical workloads, which may adversely affect operations if they are compromised or become unavailable, were identified and classified.",,, -Security,Have you done a threat analysis of your workload?,None of the above.,None of the above.,, -Security,What considerations for compliance and governance did you make in this workload?,Regulatory and governance requirements of this workload are known and well understood.,,, -Security,What considerations for compliance and governance did you make in this workload?,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,,, -Security,What considerations for compliance and governance did you make in this workload?,Azure Policies are used to enforce and control security and organizational standards.,,, -Security,What considerations for compliance and governance did you make in this workload?,Root management group is used and any changes that are applied using this group are carefully considered.,,, -Security,What considerations for compliance and governance did you make in this workload?,Compliance for this workload is systematically monitored and maintained. Regular compliance attestations are performed.,,, -Security,What considerations for compliance and governance did you make in this workload?,External or internal audits of this workload are performed periodically.,,, -Security,What considerations for compliance and governance did you make in this workload?,Security plan for this workload was developed and is maintained.,,, -Security,What considerations for compliance and governance did you make in this workload?,"Best practices and guidelines, based on industry recommendations, are reviewed and applied proactively.",,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker vs. defender costs are considered when implementing defenses. Easy and cheap attack methods are always prevented.,,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker access containment is considered when making investments into security solutions.,,, -Security,What considerations for compliance and governance did you make in this workload?,None of the above.,None of the above.,, -Security,What practices and tools have you implemented as part of the development cycle?,"A list of dependencies, frameworks and libraries used by this workload is maintained and updated regularly.",,, -Security,What practices and tools have you implemented as part of the development cycle?,Framework and library updates are included into the workload lifecycle.,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Technologies and frameworks used in this workload are fully understood, including their vulnerabilities.",,, -Security,What practices and tools have you implemented as part of the development cycle?,"Security updates to VMs are applied in a timely manner, and strong passwords exist on those VMs for any local administrative accounts that may be in use.",,, -Security,What practices and tools have you implemented as part of the development cycle?,All cloud services used by this workload are identified and it is understood how to configure them securely.,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Personally identifiable information (PII) is detected and removed/obfuscated automatically for this workload, including application logs.",,, -Security,What practices and tools have you implemented as part of the development cycle?,Azure Tags are used to enrich Azure resources with operational metadata.,,, -Security,What practices and tools have you implemented as part of the development cycle?,Elevated security capabilities such as dedicated Hardware Security Modules (HSMs) or the use of Confidential Computing was implemented or considered implementing?,,, -Security,What practices and tools have you implemented as part of the development cycle?,None of the above.,None of the above.,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Formal DevOps approach to building and maintaining software in this workload was adopted.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"DevOps security guidance based on industry lessons-learned, and available automation tools (OWASP guidance, Microsoft toolkit for Secure DevOps etc.) is leveraged.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Gates and approvals are configured in DevOps release process of this workload.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Security team is involved in planning, design and the rest of DevOps process of this workload.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Deployments are automated and it's possible to deploy N+1 and N-1 version (where N is the current production).,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Code scanning tools are integrated as part of the continuous integration (CI) process for this workload and cover also 3rd party dependencies.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Credentials, certificates and other secrets are managed in a secure manner inside of CI/CD pipelines.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Branch policies are used in source control management, main branch is protected and code reviews are required.",,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Security controls are applied to all self-hosted build agents used by this workload (if any).,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,CI/CD roles and permissions are clearly defined for this workload.,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,None of the above.,None of the above.,, -Security,Is the workload developed and configured in a secure way?,Cloud services are used for well-established functions instead of building custom service implementations.,,, -Security,Is the workload developed and configured in a secure way?,Detailed error messages and verbose information are hidden from the end user/client applications. Exceptions in code are handled gracefully and logged.,,, -Security,Is the workload developed and configured in a secure way?,Platform specific information (e.g. web server version) is removed from server-client communication channels.,,, -Security,Is the workload developed and configured in a secure way?,CDN (content delivery network) is used to separate the hosting platform and end-users/clients.,,, -Security,Is the workload developed and configured in a secure way?,"Application configuration is stored using a dedicated configuration management system (Azure App Configuration, Azure Key Vault etc.)",,, -Security,Is the workload developed and configured in a secure way?,"Access to data storage is identity-based, whenever possible.",,, -Security,Is the workload developed and configured in a secure way?,Authentication tokens are cached securely and encrypted when sharing across web servers.,,, -Security,Is the workload developed and configured in a secure way?,There are controls in place for this workload to detect and protect from data exfiltration.,,, -Security,Is the workload developed and configured in a secure way?,None of the above.,None of the above.,, -Security,How are you monitoring security-related events in this workload?,Tools like Azure Security Center are used to discover and remediate common risks within Azure tenants.,,, -Security,How are you monitoring security-related events in this workload?,A central SecOps team monitors security related telemetry data for this workload.,,, -Security,How are you monitoring security-related events in this workload?,The security team has read-only access into all cloud environment resources for this workload.,,, -Security,How are you monitoring security-related events in this workload?,"The security team has access to and monitor all subscriptions and tenants that are connected to the existing cloud environment, relative to this workload.",,, -Security,How are you monitoring security-related events in this workload?,Identity related risk events related to potentially compromised identities are actively monitored.,,, -Security,How are you monitoring security-related events in this workload?,"Communication, investigation and hunting activities are aligned with the workload team.",,, -Security,How are you monitoring security-related events in this workload?,Periodic & automated access reviews of the workload are conducted to ensure that only authorized people have access?,,, -Security,How are you monitoring security-related events in this workload?,Cloud application security broker (CASB) is leveraged in this workload.,,, -Security,How are you monitoring security-related events in this workload?,A designated point of contact was assigned for this workload to receive Azure incident notifications from Microsoft.,,, -Security,How are you monitoring security-related events in this workload?,None of the above.,None of the above.,, -Security,How is security validated and how do you handle incident response when breach happens?,"For containerized workloads, Azure Defender (Azure Security Center) or other third-party solution is used to scan for vulnerabilities.",,, -Security,How is security validated and how do you handle incident response when breach happens?,Penetration testing is performed in-house or a third-party entity performs penetration testing of this workload to validate the current security defenses.,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Simulated attacks on users of this workload, such as phishing campaigns, are carried out regularly.",,, -Security,How is security validated and how do you handle incident response when breach happens?,Operational processes for incident response are defined and tested for this workload.,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Playbooks are built to help incident responders quickly understand the workload and components, to mitigate an attack and do an investigation.",,, -Security,How is security validated and how do you handle incident response when breach happens?,There's a security operations center (SOC) that leverages a modern security approach.,,, -Security,How is security validated and how do you handle incident response when breach happens?,A security training program is developed and maintained to ensure security staff of this workload are well-informed and equipped with the appropriate skills.,,, -Security,How is security validated and how do you handle incident response when breach happens?,None of the above.,None of the above.,, -Security,How is connectivity secured for this workload?,"Services used by this workload, which should not be accessible from public IP addresses, are protected with network restrictions / IP firewall rules.",,, -Security,How is connectivity secured for this workload?,Service Endpoints or Private Links are used for accessing Azure PaaS services.,,, -Security,How is connectivity secured for this workload?,Azure Firewall or any 3rd party next generation firewall is used for this workload to control outgoing traffic of Azure PaaS services (data exfiltration protection) where Private Link is not available.,,, -Security,How is connectivity secured for this workload?,Network security groups (NSG) are used to isolate and protect traffic within the workloads VNet.,,, -Security,How is connectivity secured for this workload?,NSG flow logs are configured to get insights about incoming and outgoing traffic of this workload.,,, -Security,How is connectivity secured for this workload?,"Access to the workload backend infrastructure (APIs, databases, etc.) is restricted to only a minimal set of public IP addresses - only those who really need it.",,, -Security,How is connectivity secured for this workload?,Identified groups of resources are isolated from other parts of the organization to aid in detecting and containing adversary movement within the enterprise.,,, -Security,How is connectivity secured for this workload?,"All public endpoints of this workload are protected/secured with appropriate solution (i.e. Azure Front Door, Azure Firewall...).",,, -Security,How is connectivity secured for this workload?,"Publishing methods for this workload (e.g FTP, Web Deploy) are protected.",,, -Security,How is connectivity secured for this workload?,Code is published to this workload using CI/CD process instead of manually.,,, -Security,How is connectivity secured for this workload?,"Workload virtual machines running on premises or in the cloud don't have direct internet connectivity for users that may perform interactive logins, or by applications running on virtual machines.",,, -Security,How is connectivity secured for this workload?,There's a capability and plans in place to mitigate DDoS attacks for this workload.,,, -Security,How is connectivity secured for this workload?,None of the above.,None of the above.,, -Security,How have you secured the network of your workload?,"There's a designated group within the organization, which is responsible for centralized network management security of this workload.",,, -Security,How have you secured the network of your workload?,"There are controls in place to ensure that security extends past the network boundaries of the workload in order to effectively prevent, detect, and respond to threats.",,, -Security,How have you secured the network of your workload?,Enhanced network visibility is enabled by integrating network logs into a Security information and event management (SIEM) solution or similar technology.,,, -Security,How have you secured the network of your workload?,Cloud virtual networks are designed for growth based on an intentional subnet security strategy.,,, -Security,How have you secured the network of your workload?,"This workload has a security containment strategy that blends existing on-premises security controls and practices with native security controls available in Azure, and uses a zero-trust approach.",,, -Security,How have you secured the network of your workload?,Legacy network security controls for data loss prevention were deprecated.,,, -Security,How have you secured the network of your workload?,"Traffic between subnets, Azure components and tiers of the workload is managed and protected.",,, -Security,How have you secured the network of your workload?,None of the above.,None of the above.,, -Security,How are you managing encryption for this workload?,The workload uses industry standard encryption algorithms instead of creating own.,,, -Security,How are you managing encryption for this workload?,The workload communicates over encrypted (TLS / HTTPS) network channels only.,,, -Security,How are you managing encryption for this workload?,TLS 1.2 or 1.3 is used by default across this workload.,,, -Security,How are you managing encryption for this workload?,Secure modern hashing algorithms (SHA-2 family) are used.,,, -Security,How are you managing encryption for this workload?,Data at rest is protected with encryption.,,, -Security,How are you managing encryption for this workload?,Data in transit is encrypted.,,, -Security,How are you managing encryption for this workload?,Virtual disk files for virtual machines which are associated with this workload are encrypted.,,, -Security,How are you managing encryption for this workload?,None of the above.,None of the above.,, -Security,"Are keys, secrets and certificates managed in a secure way?",There's a clear guidance or requirement on what type of keys (PMK - Platform Managed Keys vs. CMK - Customer Managed Keys) should be used for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?","Passwords and secrets are managed outside of application artifacts, using tools like Azure Key Vault.",,, -Security,"Are keys, secrets and certificates managed in a secure way?",Access model for keys and secrets is defined for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",A clear responsibility / role concept for managing keys and secrets is defined for this workload.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Secret/key rotation procedures are in place.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Expiry dates of SSL/TLS certificates are monitored and there are renewal processes in place.,,, -Security,"Are keys, secrets and certificates managed in a secure way?",None of the above.,None of the above.,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are tools and processes in place to grant just-in-time access.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,No user accounts have long-standing write access to production environments.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Appropriate emergency access accounts are configured for this workload in case of an emergency.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Lines of responsibility and designated responsible parties were clearly defined for specific functions in Azure.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,The application team has a clear view on responsibilities and individual/group access levels for this workload.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Workload infrastructure is protected with role-based access control (RBAC).,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Resource locks are leveraged to protect critical infrastructure of this workload.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,"Direct access to the infrastructure through Azure Portal, command-line Interface (CLI) or REST API is limited and CI/CD is preferred.",,, -Security,What security controls do you have in place for access to Azure infrastructure?,Permissions to Azure workloads are rarely based on individual resources and custom permissions are rarely used.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are processes and tools being used to manage privileged activities. Long standing administrative access is avoided whenever possible.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There is a lifecycle management policy for critical accounts in this workload and privileged accounts are reviewed regularly.,,, -Security,What security controls do you have in place for access to Azure infrastructure?,None of the above.,None of the above.,, -Security,How are you managing identity for this workload?,When communicating with Azure platform services managed identities are preferred over API keys and connection strings.,,, -Security,How are you managing identity for this workload?,All APIs in this workload require clients to authenticate.,,, -Security,How are you managing identity for this workload?,"Modern authentication protocols (OAuth 2.0, OpenID) are used by this workload.",,, -Security,How are you managing identity for this workload?,"Azure Active Directory or other managed identity provider (Microsoft Account, Azure B2C etc.) is used for user authentication.",,, -Security,How are you managing identity for this workload?,Authentication via identity services is prioritized for this workload vs. cryptographic keys.,,, -Security,How are you managing identity for this workload?,Conditional access policies are implemented for users of this workload.,,, -Security,How are you managing identity for this workload?,Password-less or multi-factor authentication (MFA) is enforced for users of this workload.,,, -Security,How are you managing identity for this workload?,Current on-premises Active Directory is synchronized with Azure AD or other cloud identity system.,,, -Security,How are you managing identity for this workload?,None of the above.,None of the above.,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cloud costs are being modelled for this workload.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The price model of the workload is clear.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Critical system flows through the application have been defined for all key business scenarios.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,There is a well-understood capacity model for the workload.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Internal and external dependencies are identified and cost implications understood.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cost implications of each Azure service used by the application are understood.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The right operational capabilities are used for Azure services.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Special discounts given to services or licenses are factored in when calculating new cost models for services being moved to the cloud.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Azure Hybrid Use Benefit is used to drive down cost in the cloud.,,, -Cost Optimization,How are you modeling cloud costs of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budgets are assigned to all services in this workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a cost owner for every service used by this workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Cost forecasting is done to ensure it aligns with the budget.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a monthly or yearly meeting where the budget is reviewed.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a target end-date.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a plan for migrating to PaaS or serverless to lower the all up cost and transfer risk.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a clear understanding of how budget is defined.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budget is factored into the building phase.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is an ongoing conversation between the app owner and the business.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a plan to modernize the workload.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Azure Tags are used to enrich Azure resources with operational metadata.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,The application has a well-defined naming standard for Azure resources.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,None of the above.,None of the above.,, -Cost Optimization,How are you monitoring costs of this workload?,Alerts are set for cost thresholds and limits.,,, -Cost Optimization,How are you monitoring costs of this workload?,Specific owners and processes are defined for each alert type.,,, -Cost Optimization,How are you monitoring costs of this workload?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,, -Cost Optimization,How are you monitoring costs of this workload?,Cost Management Tools (such as Azure Cost Management) are being used to track spending in this workload.,,, -Cost Optimization,How are you monitoring costs of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you optimize the design of this workload?,The application was built natively for the cloud.,,, -Cost Optimization,How do you optimize the design of this workload?,There is an availability strategy defined and cost implications of it are understood.,,, -Cost Optimization,How do you optimize the design of this workload?,This workload benefits from higher density.,,, -Cost Optimization,How do you optimize the design of this workload?,Data is being transferred between regions.,,, -Cost Optimization,How do you optimize the design of this workload?,Multi-region deployment is supported and cost implications understood.,,, -Cost Optimization,How do you optimize the design of this workload?,The workload is designed to use Availability Zones within a region.,,, -Cost Optimization,How do you optimize the design of this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Performance requirements are well-defined.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Targets for the time it takes to perform scale operations are defined and monitored.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The workload is designed to scale independently.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The application has been designed to scale both in and out.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Application components and data are split into groups as part of your disaster recovery strategy.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Tools (such as Azure Advisor) are being used to optimise SKUs discovered in this workload.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Resources are reviewed weekly or bi-weekly for optimization.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Cost-effective regions are considered as part of the deployment selection.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Dev/Test offerings are used correctly.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Shared hosting platforms are used correctly.,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,None of the above.,None of the above.,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is an automated process to deploy application releases to production.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is a difference in configuration for production and non-production environments.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,Test-environments are deployed automatically and deleted after use.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness regarding the ratio of cost of production and non-production environments for this workload.,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate SKUs are used for workload servers.,,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate operating systems are used in the workload.,,, -Cost Optimization,How do you manage compute costs for this workload?,A recent review of SKUs that could benefit from Reserved Instances for 1 or 3 years or more has been performed.,,, -Cost Optimization,How do you manage compute costs for this workload?,Burstable (B) series VM sizes are used for VMs that are idle most of the time and have high usage only in certain periods.,,, -Cost Optimization,How do you manage compute costs for this workload?,VM instances which are not used are shut down.,,, -Cost Optimization,How do you manage compute costs for this workload?,Spot virtual machines are used.,,, -Cost Optimization,How do you manage compute costs for this workload?,PaaS is used as an alternative to buying virtual machines.,,, -Cost Optimization,How do you manage compute costs for this workload?,Costs are optimized by using the App Service Premium (v3) plan over the Premium (Pv2) plan.,,, -Cost Optimization,How do you manage compute costs for this workload?,Zone to Zone disaster recovery is used for virtual machines.,,, -Cost Optimization,How do you manage compute costs for this workload?,The Start/Stop feature in Azure Kubernetes Services (AKS) is used.,,, -Cost Optimization,How do you manage compute costs for this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage networking costs for this workload?,Service Endpoints or Private Link are used for accessing Azure PaaS services.,,, -Cost Optimization,How do you manage networking costs for this workload?,Hub and spoke design pricing is understood.,,, -Cost Optimization,How do you manage networking costs for this workload?,Microsoft backbone network is preferred.,,, -Cost Optimization,How do you manage networking costs for this workload?,DDoS attack mitigation plans and capabilities are in place.,,, -Cost Optimization,How do you manage networking costs for this workload?,"Azure Front Door, Azure App Gateway or Web Application Firewall is used.",,, -Cost Optimization,How do you manage networking costs for this workload?,The workload is connected between regions (using network peering or gateways).,,, -Cost Optimization,How do you manage networking costs for this workload?,Azure resources are connecting to the internet via on-premises.,,, -Cost Optimization,How do you manage networking costs for this workload?,Public IPs and orphaned NICs are regularly cleaned up.,,, -Cost Optimization,How do you manage networking costs for this workload?,None of the above.,None of the above.,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved capacity is used for data in block blob storage.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Data is organized into access tiers.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Life-cycle policy is used to move data between access tiers.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Shared disks are leveraged for suitable workloads.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved premium disks (P30 & above) are used.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Bursting for P20 and below disks is utilized for suitable workloads.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,"For database workloads, data and log files are stored on separate disks.",,, -Cost Optimization,How do you manage storage and data costs for this workload?,"Unused storage resources (e.g. unattached disks, old snapshots) are periodically cleaned up.",,, -Cost Optimization,How do you manage storage and data costs for this workload?,Selective disk backup and restore for Azure VMs is used.,,, -Cost Optimization,How do you manage storage and data costs for this workload?,None of the above.,None of the above.,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Development and operations processes are connected to a Service Management framework like ISO or ITIL,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,There is no separation between development and operations teams.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You have identified all broader teams responsible for operational aspects of the application and have established remediation plans with them for any issues that occur.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Features and development tasks for the application are prioritized and executed on in a consistent fashion.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You understand how the choices and desired configuration of Azure services are managed.,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,None of the above.,None of the above.,, -Operational Excellence,What design considerations for operations have you made?,You have documented any components that are on-premises or in another cloud.,,, -Operational Excellence,What design considerations for operations have you made?,Deployed the application across multiple regions.,,, -Operational Excellence,What design considerations for operations have you made?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,, -Operational Excellence,What design considerations for operations have you made?,Application platform components are deployed across multiple active regions.,,, -Operational Excellence,What design considerations for operations have you made?,The workload is implemented with strategies for resiliency and self-healing.,,, -Operational Excellence,What design considerations for operations have you made?,All platform-level dependencies are identified and understood.,,, -Operational Excellence,What design considerations for operations have you made?,None of the above.,None of the above.,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs are defined for the application and key scenarios and monitored",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs for all leveraged dependencies are understood and monitored",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Recovery targets such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined for the application and key scenarios,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,The consequences if availability and recovery targets are not satisfied are well understood,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are targets defined for the time it takes to perform scale operations,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Critical system flows through the application have been defined for all key business scenarios and have distinct availability, performance and recovery targets",,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are well defined performance requirements for the application and key scenarios,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Any application components which are less critical and have lower availability or performance requirements are well understood,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,None of the above.,None of the above.,, -Operational Excellence,How are you monitoring your resources?,An Application Performance Management (APM) tool like Azure Application Insights is used to collect application level logs,,, -Operational Excellence,How are you monitoring your resources?,Application logs are collected from different application environments,,, -Operational Excellence,How are you monitoring your resources?,Log messages are captured in a structured format and can be indexed and searched,,, -Operational Excellence,How are you monitoring your resources?,Application events are correlated across all application components,,, -Operational Excellence,How are you monitoring your resources?,It is possible to evaluate critical application performance targets and non-functional requirements based on application logs and metrics,,, -Operational Excellence,How are you monitoring your resources?,End-to-end performance of critical system flows is monitored,,, -Operational Excellence,How are you monitoring your resources?,Black-box monitoring is used to measure platform services and the resulting customer experience.,,, -Operational Excellence,How are you monitoring your resources?,None of the above.,None of the above.,, -Operational Excellence,How do you interpret the collected data to inform about application health?,"A log aggregation technology, such as Azure Log Analytics or Splunk, is used to collect logs and metrics from Azure resources",,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Azure Activity Logs are collected within the log aggregation tool,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Resource-level monitoring is enforced throughout the application,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Logs and metrics are available for critical internal dependencies,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Log levels are used to capture different types of application events.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Critical external dependencies are monitored,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,There are no known gaps in application observability that led to missed incidents and/or false positives.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,The workload is instrumented to measure customer experience.,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,None of the above.,None of the above.,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,"Application and resource level logs are either aggregated in a single data sink, or it is possible to cross-query events at both levels",,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Application level events are automatically correlated with resource-level metrics to quantify the current application state,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the workload,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Critical system flows are used to inform the health model,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,The health model can distinguish between transient and non-transient faults,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Long-term trends are analysed to predict operational issues before they occur,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Retention times for logs and metrics have been defined and with housekeeping mechanisms configured,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,None of the above.,None of the above.,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Grafana is used to visualize the application health model and encompassed logs and metrics,,, -Operational Excellence,How are you using Azure platform notifications and updates?,"Dashboards are tailored to a specific audience such as developers, security or networking teams",,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Splunk is used for alerting,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Specific owners and processes are defined for each alert type,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Operational events are prioritized based on business impact,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Push notifications are used to inform responsible parties of alerts in real time,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Alerting is integrated with an IT Service Management (ITSM) system such as ServiceNow,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Service Health alerts been created to respond to Service-level events.,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Resource Health alerts been created to respond to Resource-level events.,,, -Operational Excellence,How are you using Azure platform notifications and updates?,None of the above.,None of the above.,, -Operational Excellence,What is your approach to recovery and failover?,Recovery steps are defined and well understood for failover and failback,,, -Operational Excellence,What is your approach to recovery and failover?,The failover and failback approach has been tested/validated at least once,,, -Operational Excellence,What is your approach to recovery and failover?,The health model is being used to classify failover situations,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are in place for common failure events,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are tested and validated on a regular basis,,, -Operational Excellence,What is your approach to recovery and failover?,Critical manual processes are defined and documented for failure responses.,,, -Operational Excellence,What is your approach to recovery and failover?,Manual operational runbooks are tested and validated on a regular basis,,, -Operational Excellence,What is your approach to recovery and failover?,None of the above.,None of the above.,, -Operational Excellence,How are scale operations performed?,There is a capacity model for the workload,,, -Operational Excellence,How are scale operations performed?,Auto-scaling is enabled for supporting PaaS and IaaS services,,, -Operational Excellence,How are scale operations performed?,The process to provision and de-provision capacity is codified,,, -Operational Excellence,How are scale operations performed?,The impact of changes in application health on capacity is fully understood,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is within Azure service scale limits and quotas,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is available within targeted regions,,, -Operational Excellence,How are scale operations performed?,Capacity utilization is monitored and used to forecast future growth,,, -Operational Excellence,How are scale operations performed?,None of the above.,None of the above.,, -Operational Excellence,How are you managing the configuration of your workload?,You monitor and take advantage of new features and capabilities of underlying services used in your workload.,,, -Operational Excellence,How are you managing the configuration of your workload?,Application configuration information is stored using a dedicated management system such as Azure App Configuration or Azure Key Vault,,, -Operational Excellence,How are you managing the configuration of your workload?,Soft-Delete is enabled for your keys and credentials such as things stored in Key Vaults and Key Vault objects.,,, -Operational Excellence,How are you managing the configuration of your workload?,Configuration settings can be changed or modified without rebuilding or redeploying the application,,, -Operational Excellence,How are you managing the configuration of your workload?,Passwords and other secrets are managed in a secure store like Azure Key Vault or HashiCorp Vault,,, -Operational Excellence,How are you managing the configuration of your workload?,Procedures are in place for key/secret rotation,,, -Operational Excellence,How are you managing the configuration of your workload?,The application uses Azure Managed Identities,,, -Operational Excellence,How are you managing the configuration of your workload?,The expiry dates of SSL certificates are monitored and there are processes in place to renew them,,, -Operational Excellence,How are you managing the configuration of your workload?,Components are hosted on shared application or data platforms as appropriate.,,, -Operational Excellence,How are you managing the configuration of your workload?,Your workload takes advantage of multiple Azure subscriptions.,,, -Operational Excellence,How are you managing the configuration of your workload?,The workload is designed to leverage managed services.,,, -Operational Excellence,How are you managing the configuration of your workload?,None of the above.,None of the above.,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a systematic approach to the development and release process.,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application can be deployed automatically from scratch without any manual operations,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a documented process for any portions of the deployment that require manual intervention,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,N-1 or N+1 versions can be deployed via automated pipelines where N is current deployment version in production,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a defined hotfix process which bypasses normal deployment procedures,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application deployment process leverages blue-green deployments and/or canary releases,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Releases to production are gated by having it successfully deployed and tested in other environments,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Feature flags are used to test features before rolling them out to everyone,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,None of the above.,None of the above.,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The entire application infrastructure is defined as code,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,No operational changes are performed outside of infrastructure as code,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Configuration drift is tracked and addressed,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The process to deploy infrastructure is automated,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Critical test environments have 1:1 parity with the production environment,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Direct write access to infrastructure is not possible and all resources are provisioned or configured through IaC processes.,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,None of the above.,None of the above.,, -Operational Excellence,How are you managing and distributing your patches,You have a defined process to patch and update all relevant workload components.,,, -Operational Excellence,How are you managing and distributing your patches,You have a defined rollback strategy for patches.,,, -Operational Excellence,How are you managing and distributing your patches,There is an playbook to deploy emergency patches as needed.,,, -Operational Excellence,How are you managing and distributing your patches,None of the above.,None of the above.,, -Operational Excellence,How are you testing and validating your workload?,"The application is tested for performance, scalability, and resiliency",,, -Operational Excellence,How are you testing and validating your workload?,"Tests for performance, scalability, and resiliency are performed as part of each major change",,, -Operational Excellence,How are you testing and validating your workload?,At least a subset of tests is also performed in the production environment,,, -Operational Excellence,How are you testing and validating your workload?,Fault injection tests are being utilized,,, -Operational Excellence,How are you testing and validating your workload?,Smoke tests are performed during application deployments,,, -Operational Excellence,How are you testing and validating your workload?,Unit and integration testing is performed as part of the application deployment process,,, -Operational Excellence,How are you testing and validating your workload?,All these tests are automated and carried out periodically,,, -Operational Excellence,How are you testing and validating your workload?,Failing tests at least temporarily block a deployment and lead to a deeper analysis of what has happened,,, -Operational Excellence,How are you testing and validating your workload?,Business Continuity 'fire drills' are performed to test regional failover scenarios,,, -Operational Excellence,How are you testing and validating your workload?,Security and penetration testing is performed regularly,,, -Operational Excellence,How are you testing and validating your workload?,You regularly validate and update your tests to reflect any necessary changes.,,, -Operational Excellence,How are you testing and validating your workload?,Operational procedures are reviewed and refined regularly.,,, -Operational Excellence,How are you testing and validating your workload?,Mocks and stubs are used to test external dependencies in non-production environments.,,, -Operational Excellence,How are you testing and validating your workload?,None of the above.,None of the above.,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Specific methodologies, like DevOps, are used to structure the development and operations process",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Collaboration between development and operations team to resolve production issue is clearly defined and well understood,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Operational shortcomings and failures are analyzed and used to improve and refine operational procedures,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools or processes in place, such as Azure AD Privileged Identity Management, to grant access to critical systems on a just in-time basis",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,No users have long-standing write-access to production environments,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Azure Resource Tags are used to enrich resources with operational meta-data,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools and processes, like Azure Policy, in place to govern available services, enforce mandatory operational functionality and ensure compliance",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Standards, policies, restrictions and best practices are defined as code, for example by using solutions like Azure Policy or HashiCorp Sentinel",,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Error budgets used to track service reliability.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,There is a policy that governs what happens when the error budget is exhausted.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs) have been set.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The life-cycle of the application is decoupled from its dependencies.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application logs are correlated across components.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The application is instrumented with semantic logs and metrics.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Validated required capacity is within Azure service scale limits and quotas.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Operational procedures are defined in case data sizes exceed limits.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Tested and validated defined latency and throughput targets per scenario and component.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Keys and secrets are backed-up to geo-redundant storage.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for cost have you made?," The application was built natively for the cloud.",,, -Operational Excellence,What operational excellence allowances for cost have you made?,The workload is designed to use Availability Zones within a region.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has been designed to scale both in and out.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Performance requirements are well-defined.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Critical system flows through the application have been defined for all key business scenarios.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Specific owners and processes are defined for each alert type.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is an automated process to deploy application releases to production.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has a well-defined naming standard for Azure resources.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Targets for the time it takes to perform scale operations are defined and monitored.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,All internal and external dependencies identified and categorized as either weak or strong.,,, -Operational Excellence,What operational excellence allowances for cost have you made?,None of the above.,None of the above.,, -Operational Excellence,What operational excellence allowances for security have you made?,Regulatory and governance requirements of this workload are known and well understood.,,, -Operational Excellence,What operational excellence allowances for security have you made?,There are tools and processes in place to grant just-in-time access.,,, -Operational Excellence,What operational excellence allowances for security have you made?,Appropriate emergency access accounts are configured for this workload.,,, -Operational Excellence,What operational excellence allowances for security have you made?,None of the above.,None of the above.,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The workload is deployed across multiple regions.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,"Regions were chosen based on location, proximity to users, and resource type availability.",,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Paired regions are used appropriately.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You have ensured that both (all) regions in use have the same performance and scale SKUs that are currently leveraged in the primary region.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Within a region the application architecture is designed to use Availability Zones.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application is implemented with strategies for resiliency and self-healing.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Component proximity is considered for application performance reasons.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application can operate with reduced functionality or degraded performance in the case of an outage.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You choose appropriate datastores for the workload during the application design.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Your application is using a micro-service architecture.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You understand where state will be stored for the workload.,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,None of the above.,None of the above.,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You are able to predict general application usage.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,There are well-defined performance requirements for the workload and its key scenarios.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,Targets for scale operations are defined.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You understand and have documented the expected maximum traffic volume before performance degradation occurs.,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,None of the above.,None of the above.,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,The workload can scale horizontally in response to changing load.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Have policies to scale in and scale down when the load decreases.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Configured scaling policies to use the appropriate metrics.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Automatically schedule autoscaling to add resources based on time of day trends.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Autoscaling has been tested under sustained load.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,You have measured the time it takes to scale in and out.,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,None of the above.,None of the above.,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have a capacity model for the workload.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,Capacity utilization is monitored and used to forecast future growth.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,A process for provisioning and de-provisioning capacity has been established.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have enabled auto-scaling for all PaaS and IaaS services that support it.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You are aware of relevant Azure service limits and quotas.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have validated the SKU and configuration choices are appropriate for your anticipated loads.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,There is a strategy in place to manage events that may cause a spike in load.,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,None of the above.,None of the above.,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using a Content Delivery Network.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are offloading SSL.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using authentication/token verification offloading.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated latency targets for key scenarios.",,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated throughput targets for key scenarios.",,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You have identified all components that are sensitive to network latency.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,Dedicated bandwidth has been acquired where needed.,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,None of the above.,None of the above.,, -Performance Efficiency,How are you managing your data to handle scale?,You know the growth rate of your data.,,, -Performance Efficiency,How are you managing your data to handle scale?,You have documented plans for data growth and retention.,,, -Performance Efficiency,How are you managing your data to handle scale?,Design for eventual consistency.,,, -Performance Efficiency,How are you managing your data to handle scale?,You are using database replicas and data partitioning (sharding) as appropriate.,,, -Performance Efficiency,How are you managing your data to handle scale?,Minimize the load on the data store.,,, -Performance Efficiency,How are you managing your data to handle scale?,Normalize the data appropriately.,,, -Performance Efficiency,How are you managing your data to handle scale?,Optimize database queries and indexes.,,, -Performance Efficiency,How are you managing your data to handle scale?,None of the above.,None of the above.,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,There is a defined testing strategy.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Performance tests are performed regularly.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified the human and environmental resources needed to create performance tests.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are using appropriate tools to conduct performance tests on your workload.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are testing all appropriate components for performance.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified all services being utilized in Azure (and on-premise) that need to be measured.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Some tests are performed in production.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,The testing plan includes occasionally injecting faults.,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,None of the above.,None of the above.,, -Performance Efficiency,How are you benchmarking your workload?,You have identified goals or a baseline for workload performance.,,, -Performance Efficiency,How are you benchmarking your workload?,Performance goals are based on device and/or connectivity type as appropriate.,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined an initial connection goal for your workload.,,, -Performance Efficiency,How are you benchmarking your workload?,There is a goal defined for complete page load times.,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined goals for an API (service) endpoint complete response.,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals defined for server response time.,,, -Performance Efficiency,How are you benchmarking your workload?,You have goals for latency between the systems & microservices of your workload.,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals on database query efficiency.,,, -Performance Efficiency,How are you benchmarking your workload?,You have a methodology to determine what acceptable performance is.,,, -Performance Efficiency,How are you benchmarking your workload?,None of the above.,None of the above.,, -Performance Efficiency,How have you modeled the health of your workload?,Application and resource level logs are aggregated in a single data sink or able to be cross-queried.,,, -Performance Efficiency,How have you modeled the health of your workload?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the application.,,, -Performance Efficiency,How have you modeled the health of your workload?,Critical system flows are used to inform the health model.,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can distinguish between transient and non-transient faults.,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can determine if the workload is performing at the expected targets.,,, -Performance Efficiency,How have you modeled the health of your workload?,Retention times for logs and metrics been defined and housekeeping mechanisms are configured.,,, -Performance Efficiency,How have you modeled the health of your workload?,Long-term trends are analyzed to predict performance issues before they occur.,,, -Performance Efficiency,How have you modeled the health of your workload?,None of the above.,None of the above.,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Track when resources scale in and out.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Have an overall monitoring strategy for scalability and performance.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application logs are collected from different application environments.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Logs are captured in a structured format.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor how much of an application is involved in serving a single request.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application events are correlated across all application components.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,"You have determined an acceptable operational margin between your peak utilization and the application's maximum load, and monitor for this.",,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You are aware of the appropriate metrics to monitor for performance tests under standard load.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor critical external dependencies for performance.,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,None of the above.,None of the above.,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have steps to troubleshoot database issues.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know how to handle high CPU or memory situations.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know what to do when the application response times increase while not using all the CPU or memory allocated to the system.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You use profiling tools to profile your application code.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have a response plan for network performance problems that includes traffic capturing tools.,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,None of the above.,None of the above.,, diff --git a/WARP/devops/testing/test-assessmentsmall.csv b/WARP/devops/testing/test-assessmentsmall.csv deleted file mode 100644 index 560673a..0000000 --- a/WARP/devops/testing/test-assessmentsmall.csv +++ /dev/null @@ -1,692 +0,0 @@ -"Azure Well-Architected Review - Dec 21, 2021 - 2:41:03 PM",,,,,,, -,,,,,,, -Recommendations for your workload,,,,,,, -Your overall results,Critical,'0/100',,,,, -Reliability,Critical,'0/100',,,,, -Security,Critical,'0/100',,,,, -Cost Optimization,Critical,'0/100',,,,, -Operational Excellence,Critical,'0/100',,,,, -Performance Efficiency,Critical,'0/100',,,,, -WAF Configuration,Not assessed,,,,,, -Reliability - Azure Machine Learning,Not assessed,,,,,, -Security - Azure Machine Learning,Not assessed,,,,,, -Cost Optimization - Azure Machine Learning,Not assessed,,,,,, -Operational Excellence - Azure Machine Learning,Not assessed,,,,,, -Performance Efficiency - Azure Machine Learning,Not assessed,,,,,, -Reliability - Data Management,Not assessed,,,,,, -Security - Data Management,Not assessed,,,,,, -Cost Optimization - Data management,Not assessed,,,,,, -Operational Excellence - Data Management,Not assessed,,,,,, -Performance Efficiency - Data Management,Not assessed,,,,,, -,,,,,,, -Next Steps,,,,,,, -Review identify and classify business critical applications,https://docs.microsoft.com/azure/architecture/framework/Security/applications-services#identify-and-classify-business-critical-applications,,,,,, -Define RPO and RTO for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,,,,,, -Review limits,https://docs.microsoft.com/azure/architecture/framework/DevOps/app-design#limits,,,,,, -,,,,,,, -Category,Link-Text,Link,Priority,ReportingCategory,ReportingSubcategory,Weight,Context -Reliability,Identify distinct workloads,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design#considerations-for-improving-reliability,High,Application Design,Design,99,Identify distinct workloads -Reliability,Identify recovery targets for your workload,https://docs.microsoft.com/azure/architecture/framework/Resiliency/business-metrics#recovery-metrics,High,Application Design,Targets & Non-Functional Requirements,90,Identify recovery targets for your workload -Reliability,Monitor long-running workflows for failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/monitoring#long-running-workflow-failures,High,Application Design,Transactional,80,Monitor long-running workflows for failures -Reliability,Create a data restoration plan,https://docs.microsoft.com/azure/architecture/reliability/architect#manage-your-data,High,Data Platform Availability,Replication and Redundancy,79,Create a data restoration plan -Reliability,Create a disaster recovery plan,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#disaster-recovery-plan,High,Application Design,Design,79,Create a disaster recovery plan -Reliability,Operate your workload in multiple regions,https://docs.microsoft.com/azure/availability-zones/az-overview,High,Application Design,Design,77,Operate your workload in multiple regions -Reliability,Test under expected peak load,https://docs.microsoft.com/azure/architecture/framework/Resiliency/testing#test-under-peak-loads,Medium,Deployment & Testing,Testing & Validation,57,Test under expected peak load -Reliability,Load balance traffic across availability zones,https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones,Medium,Networking & Connectivity,Connectivity,54,Load balance traffic across availability zones -Reliability,Automate key rotation,https://docs.microsoft.com/azure/key-vault/secrets/key-rotation-log-monitoring,Medium,Operational Procedures,Configuration & Secrets Management,53,Automate key rotation -Reliability,Automatically test your failover and failback process,https://docs.microsoft.com/azure/architecture/framework/Resiliency/backup-and-recovery#failover-and-failback-testing,Medium,Operational Procedures,Recovery & Failover,51,Automatically test your failover and failback process -Reliability,Implement retry logic to handle transient failures,https://docs.microsoft.com/azure/architecture/framework/Resiliency/app-design-error-handling#handling-transient-failures,Medium,Application Design,Design,50,Implement retry logic to handle transient failures -Reliability,Store session state in an external data store,https://docs.microsoft.com/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/web-development-best-practices,Medium,Operational Procedures,Configuration & Secrets Management,50,Store session state in an external data store -Reliability,Segregate read operations from update operations,https://docs.microsoft.com/azure/architecture/patterns/cqrs,Medium,Application Design,Design,50,Segregate read operations from update operations -Security,Scan container workloads for vulnerabilities,https://docs.microsoft.com/azure/security-center/container-security,High,Deployment & Testing,Testing & Validation,90,Scan container workloads for vulnerabilities -Security,Establish a detection and response strategy for identity risks,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#review-identity-risks,High,Health Modeling & Monitoring,Application Level Monitoring,90,Establish a detection and response strategy for identity risks -Security,Classify your data at rest and use encryption,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-at-rest,High,Security & Compliance,Encryption,90,Classify your data at rest and use encryption -Security,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security,https://docs.microsoft.com/azure/architecture/framework/Security/governance#manage-connected-tenants,High,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,80,Ensure all Azure environments that connect to your production environment/network apply your organization’s policy and IT governance controls for security -Security,Use penetration testing and red team exercises to validate security defenses for this workload,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,High,Deployment & Testing,Testing & Validation,70,Use penetration testing and red team exercises to validate security defenses for this workload -Security,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team,https://docs.microsoft.com/azure/governance/policy/overview,High,Security & Compliance,Compliance,70,Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team -Security,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs,https://docs.microsoft.com/azure/architecture/framework/security/deploy-infrastructure#build-environments,High,Deployment & Testing,Build Environments,70,Apply security controls to self-hosted build agents in the same manner as with other Azure IaaS VMs -Security,Automatically remove/obfuscate personally identifiable information (PII) for this workload,https://docs.microsoft.com/azure/search/cognitive-search-skill-pii-detection,High,Health Modeling & Monitoring,Application Level Monitoring,70,Automatically remove/obfuscate personally identifiable information (PII) for this workload -Security,Follow DevOps security guidance and automation for securing applications,https://docs.microsoft.com/azure/architecture/framework/security/deploy-code,High,Operational Model & DevOps,General,70,Follow DevOps security guidance and automation for securing applications -Security,Implement lifecycle management process for SSL/TLS certificates,https://docs.microsoft.com/azure/key-vault/certificates/tutorial-rotate-certificates,High,Operational Procedures,Configuration & Secrets Management,70,Implement lifecycle management process for SSL/TLS certificates -Security,Use NSG or Azure Firewall to protect and control traffic within VNETs,https://docs.microsoft.com/azure/architecture/framework/security/design-network-connectivity#connectivity-between-network-segments,High,Networking & Connectivity,Connectivity,70,Use NSG or Azure Firewall to protect and control traffic within VNETs -Security,Implement just-in-time privileged access management,https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure,High,Operational Model & DevOps,Roles & Responsibilities,70,Implement just-in-time privileged access management -Security,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring",https://docs.microsoft.com/azure/architecture/framework/Security/governance#remove-virtual-machine-vm-direct-internet-connectivity,High,Networking & Connectivity,Endpoints,70,"Prohibit direct internet access of virtual machines with policy, logging, and monitoring" -Security,Use only secure hash algorithms (SHA-2 family),https://docs.microsoft.com/azure/architecture/framework/Security/governance#discover-and-replace-insecure-protocols,High,Security & Compliance,Encryption,70,Use only secure hash algorithms (SHA-2 family) -Security,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Security,Configure and collect network traffic logs,https://docs.microsoft.com/azure/architecture/framework/security/monitor-identity-network#enable-network-visibility,Medium,Networking & Connectivity,Connectivity,60,Configure and collect network traffic logs -Security,Regularly simulate attacks against critical accounts,https://docs.microsoft.com/azure/architecture/framework/Security/critical-impact-accounts#attack-simulation-for-critical-impact-accounts,Medium,Deployment & Testing,Testing & Validation,60,Regularly simulate attacks against critical accounts -Security,Synchronize on-premises directory with Azure AD,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems,Medium,Security & Compliance,Authentication and authorization,60,Synchronize on-premises directory with Azure AD -Security,Maintain a list of frameworks and libraries as part of the application inventory,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#dependencies-frameworks-and-libraries,Medium,Application Design,Dependencies,60,Maintain a list of frameworks and libraries as part of the application inventory -Security,Implement role-based access control for application infrastructure,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#roles-and-permission-assignment,Medium,Security & Compliance,Separation of duties,50,Implement role-based access control for application infrastructure -Security,Make sure that all regulatory requirements are known and well understood,https://docs.microsoft.com/azure/architecture/framework/security/design-regulatory-compliance#gather-regulatory-requirements,Medium,Governance,Standards,50,Make sure that all regulatory requirements are known and well understood -Security,Restrict application infrastructure access to CI/CD only,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-control-plane#application-deployment,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Restrict application infrastructure access to CI/CD only -Security,Use managed identity providers to authenticate to this workload,https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication,Medium,Security & Compliance,Authentication and authorization,50,Use managed identity providers to authenticate to this workload -Security,Implement defenses that detect and prevent commodity attacks,https://docs.microsoft.com/azure/architecture/framework/security/resilience#increasing-attacker-cost,Low,Application Design,Security Criteria & Data Classification,30,Implement defenses that detect and prevent commodity attacks -Cost Optimization,Use RBAC to contol access to dashboards and data,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs#provide-the-right-level-of-cost-access,High,Health Modeling & Monitoring,Dashboarding,90,"Are the dashboards openly available in your organization or do you limit access based on roles etc.? For example: developers usually don't need to know the overall cost of Azure for the company, but it might be good for them to be able to watch a particular workload." -Cost Optimization,Understand the Azure services used and cost implications,https://docs.microsoft.com/azure/architecture/framework/cost/design-initial-estimate,High,Application Design,Application Composition,90,"It is important to understand what Azure services, such as App Services and Event Hubs, are used by the application platform to host both application code and data. In a discussion around cost, this can drive decisions towards the right replacements (e.g. moving from Virtual Machines to containers to increase efficiency, or migrating to .NET Core to use cheaper SKUs etc.)." -Cost Optimization,Organize data into access tiers,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/storage-options,High,Application Design,Application Composition,90,"Azure offers multiple products and services for different storage capabilities. Review the different options available and decide which one is better for your workload. After you identify the Storage resources that best match your requirements, use the detailed documentation available to familiarize yourself with these services." -Cost Optimization,Select the right operating system,https://docs.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree,High,Capacity & Service Availability Planning,Efficiency,90,"Analyze the technology stack and identify which workloads are capable of running on Linux and which require Windows. Linux-based VMs and App Services are significantly cheaper, but require the app to run on supported stack (.NET Core, Node.js etc.).Select the right operating system" -Cost Optimization,Delete or deallocate unused resources in test environments,https://azure.microsoft.com/en-us/solutions/dev-test/#overview,High,Deployment & Testing,Testing & Validation,90,Review you pre-production environment periodically and shutdown or remove unused resources. -Cost Optimization,Use ACM or other cost management tools,https://docs.microsoft.com/azure/architecture/framework/cost/monitor-reports,High,Health Modeling & Monitoring,Dashboarding,90,"In order to track spending an ACM tool can help with understanding how much is spent, where and when. This helps to make better decisions about how and if cost can be reduced." -Cost Optimization,Design the workload to scale independently,https://docs.microsoft.com/azure/architecture/framework/cost/optimize-autoscale,High,Capacity & Service Availability Planning,Efficiency,90,"For certain application, capacity requirements may swing over time. Autoscaling policies allow for less error-prone operations and cost savings through robust automation. Choose smaller instances where workload is highly variable and scale out to get the desired level of performance, rather than up." -Cost Optimization,Utilize the PaaS pay-as-you-go consumption model where relevant,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Operational Procedures,Operational Lifecycles,50,"To bring down cost the goal should be to get as many applications to only consume resources when they are used, this goes as an evolution from IaaS to PaaS to serverless where you only pay when a service I triggered. The PaaS and serverless might appear more expensive, but risk and other operational work is transferred to the cloud provider which should also be factored in as part of the cost (e.g. patching, monitoring, licenses)." -Cost Optimization,Use cost forecasting for budget alignment,https://docs.microsoft.com/azure/cost-management-billing/costs/quick-acm-cost-analysis?tabs=azure-portal,Medium,Governance,Financial Management & Cost Models,50,In order to predict costs and trends it's recommended to use forecasting to be proactive for any spending that might be going up due to higher demand than anticipated. -Cost Optimization,Consider selective backups for VMs,https://docs.microsoft.com/azure/backup/selective-disk-backup-restore,Medium,Application Design,Design,50,"Azure Backup supports the use of the Selective Disks backup and restore functionally which allows you to back up a subset of data disks in a VM, which is an efficient and cost-effective way to backup your application." -Cost Optimization,Understand the cost implications of Availability Zones,https://azure.microsoft.com/en-us/global-infrastructure/availability-zones/,Medium,Application Design,Design,50,"Availability Zones can be used to optimize application availability within a region by providing datacenter level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. It is also important to note that Availability Zones may introduce performance and cost considerations for applications which are extremely 'chatty' across zones given the implied physical separation between each zone and inter-zone bandwidth charges. That also means that AZ can be considered to get higher Service Level Agreement (SLA) for lower cost. Be aware of pricing changes coming to Availability Zone bandwidth starting February 2021." -Cost Optimization,The entire end-to-end CI/CD deployment process should be understood,https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/,Medium,Deployment & Testing,Application Code Deployments,50, -Cost Optimization,Explore where technical delivery capabilities reside,https://docs.microsoft.com/azure/architecture/framework/cost/design-model#organization-structure,Medium,Operational Model & DevOps,Roles & Responsibilities,50,Map the organization's needs to logical groupings offered by cloud services. This way the business leaders of the company get a clear view of the cloud services and how they're controlled. -Cost Optimization,Define a clear price model for individual services,https://docs.microsoft.com/azure/architecture/framework/cost/design-price,Medium,Capacity & Service Availability Planning,Efficiency,50,As part of driving a good behavior it's important that the consumer has understood why they are paying the price for a service and also that the cost is transparent and fair to the user of the service or else it can drive wrong behavior. -Cost Optimization,Pause AKS clusters,https://docs.microsoft.com/azure/aks/start-stop-cluster,Medium,Capacity & Service Availability Planning,Efficiency,50,"To optimize your costs when AKS workloads may not need to run continuously, you can completely turn off (stop) your cluster. This action will stop your control plane and agent nodes altogether, allowing you to save on all the compute costs, while maintaining all your objects and cluster state stored for when you start it again. " -Cost Optimization,Understand cost implications of hub and spoke design,https://docs.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture,Medium,Networking & Connectivity,Data flow,50,Consider using a hub and spoke approach to save costs by using a managed service and removing the necessity of network virtual appliance. -Cost Optimization,Be aware of cross-region data transfer costs,https://docs.microsoft.com/azure/architecture/framework/cost/provision-networking#peering,Medium,Networking & Connectivity,Data flow,50,Moving data between regions can add additional cost - both on the storage layer or networking layer. It's worth reviewing if this cost is can be replaced via re-architecture or justified due to e.g. disaster recovery (DR). -Cost Optimization,Understand cloud-native features and implement where possible,https://azure.microsoft.com/en-us/overview/cloudnative/,Low,Application Design,Design,10,Understanding if the application is cloud-native or not provides a very useful high-level indication about potential technical debt for operability and cost efficiency. -Cost Optimization,Be aware of extra cost when tunnelling traffic through on-premises,https://docs.microsoft.com/azure/firewall/forced-tunneling,Low,Networking & Connectivity,Data flow,10,Consider the extra cost related to data ingress and egress if your application requires to use forced tunneling. -Operational Excellence,Store keys and secrets outside of application code in Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#secrets,High,Operational Procedures,Configuration & Secrets Management,70,Store keys and secrets outside of application code in Azure Key Vault -Operational Excellence,Monitor the expiry of SSL certificates,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#SSL,High,Operational Procedures,Configuration & Secrets Management,70,Monitor the expiry of SSL certificates -Operational Excellence,Understand the impact of dependencies,https://docs.microsoft.com/azure/architecture/framework/resiliency/design-resiliency#understand-the-impact-of-dependencies,Medium,Application Design,Dependencies,50,Understand the impact of dependencies -Operational Excellence,Setup black-box monitoring to monitor the platform and customer experience,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#white-box-and-black-box-monitoring,Medium,Health Modeling & Monitoring,Monitoring and Measurement,50,Setup black-box monitoring to monitor the platform and customer experience -Operational Excellence,Use a log aggregation technology,https://docs.microsoft.com/azure/architecture/best-practices/monitoring#collecting-and-storing-data,Medium,Health Modeling & Monitoring,Resource and Infrastructure Level Monitoring,50,Use a log aggregation technology -Operational Excellence,Use the health model to classify failover situations,https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery#failover-classification,Medium,Operational Procedures,Recovery & Failover,50,Use the health model to classify failover situations -Operational Excellence,Create Azure Resource Health alerts,https://docs.microsoft.com/azure/service-health/resource-health-alert-monitor-guide,Medium,Health Modeling & Monitoring,Alerting,50,Create Azure Resource Health alerts -Operational Excellence,"Define standards, policies and best practices as code",https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure,Medium,Governance,Standards,50,"Define standards, policies and best practices as code" -Operational Excellence,Tailor dashboards to your needs,https://docs.microsoft.com/azure/architecture/framework/devops/alerts#alert-dashboarding,Medium,Health Modeling & Monitoring,Dashboarding,50,Tailor dashboards to your needs -Operational Excellence,Correlate logs and metrics for critical internal dependencies,https://docs.microsoft.com/azure/architecture/framework/devops/monitoring#event-correlation,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Correlate logs and metrics for critical internal dependencies -Operational Excellence,Document all portions of the deployment that require manual intervention,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#manual-deployment,Medium,Deployment & Testing,Application Code Deployments,50,Document all portions of the deployment that require manual intervention -Operational Excellence,Use deployment strategies to deploy your workloads,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#stage-your-workloads,Medium,Deployment & Testing,Application Code Deployments,50,Use deployment strategies to deploy your workloads -Operational Excellence,Implement release gates,https://docs.microsoft.com/azure/architecture/framework/devops/deployment#implement-deployment-security-measures,Medium,Deployment & Testing,Build Environments,50,Implement release gates -Operational Excellence,Make sure that specific methodologies are used to structure the deployment and operations process,https://docs.microsoft.com/azure/architecture/framework/devops/principles#methodologies,Medium,Operational Model & DevOps,General,50,Make sure that specific methodologies are used to structure the deployment and operations process -Operational Excellence,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault,https://docs.microsoft.com/azure/architecture/framework/security/design-app-dependencies#key-points,Medium,Operational Procedures,Configuration & Secrets Management,50,Consider storing application configuration in a dedicated management system like Azure App Configuration or Azure Key Vault -Operational Excellence,Perform security and penetration testing regularly,https://docs.microsoft.com/azure/architecture/framework/security/monitor-test#penetration-testing-pentesting,Medium,Deployment & Testing,Testing & Validation,50,Perform security and penetration testing regularly -Operational Excellence,Perform some tests in production,https://docs.microsoft.com/azure/devops/learn/devops-at-microsoft/shift-right-test-production,Medium,Deployment & Testing,Testing & Validation,50,Perform some tests in production -Operational Excellence,Deploy all infrastructure through an infrastructure-as-code process,https://docs.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#why-deploy-infrastructure-with-code,Medium,Deployment & Testing,Application Infrastructure Provisioning,50,Deploy all infrastructure through an infrastructure-as-code process -Operational Excellence,Take advantage of multiple subscriptions where appropriate,https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions#azure-management-groups,Low,Application Design,Design,30,Take advantage of multiple subscriptions where appropriate -Performance Efficiency,The health model can determine if a fault is transient,https://docs.microsoft.com/azure/architecture/best-practices/transient-faults,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,59,The health model can determine if a fault is transient -Performance Efficiency,Monitor how long it takes to scale against your targets,https://docs.microsoft.com,Medium,Application Performance Management,Elasticity,50,Monitor how long it takes to scale against your targets -Performance Efficiency,Know how long it takes to respond to scaling events,https://docs.microsoft.com/azure/architecture/framework/Scalability/load-testing#responding-quickly-to-additional-load,Medium,Application Performance Management,Elasticity,50,Know how long it takes to respond to scaling events -Performance Efficiency,Optimize your resource choices,https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#choosing-the-right-resources,Medium,Capacity & Service Availability Planning,Service SKU,50,Optimize your resource choices -Performance Efficiency,Consider using proximity placement groups for components that are very sensitive to network latency,https://docs.microsoft.com/azure/virtual-machines/windows/co-location#proximity-placement-groups,Medium,Application Performance Management,Data Latency and Throughput,50,Consider using proximity placement groups for components that are very sensitive to network latency -Performance Efficiency,Deploy to paired regions,https://docs.microsoft.com/azure/best-practices-availability-paired-regions,Medium,Application Design,Design,50,Deploy to paired regions -Performance Efficiency,Use appropriate performance testing tools,https://docs.microsoft.com/azure/architecture/framework/scalability/performance-test,Medium,Performance Testing,Tools & Planning,50,Use appropriate performance testing tools -Performance Efficiency,Use critical system flows in the health model,https://docs.microsoft.com/azure/architecture/framework/resiliency/monitor-model#application-logs,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Use critical system flows in the health model -Performance Efficiency,Track how your resources scale,https://docs.microsoft.com/azure/architecture/framework/Scalability/monitoring#how-do-azure-service-auto-scale,Medium,Health Modeling & Monitoring,Data Interpretation & Health Modeling,50,Track how your resources scale -Performance Efficiency,Collect application logs from all environments with a tool like Azure Application Insights,https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview,Medium,Health Modeling & Monitoring,Application Level Monitoring,50,Collect application logs from all environments with a tool like Azure Application Insights -Performance Efficiency,Develop a troubleshooting guide for high CPU or memory issues,https://docs.microsoft.com/troubleshoot/azure/virtual-machines/troubleshoot-high-cpu-issues-azure-windows-vm,Medium,Performance Testing,Troubleshooting,50,Develop a troubleshooting guide for high CPU or memory issues -Performance Efficiency,Use a Content Delivery Networks (CDN),https://docs.microsoft.com/azure/architecture/framework/Scalability/capacity#content-delivery-networks-(cdn),Low,Networking & Connectivity,Endpoints,30,Use a Content Delivery Networks (CDN) ------------,,,,,,, -,,,,,,, -Category,Question,Answers,Selected Answer,Note,,, -WAF Configuration,What workload type do you want to evaluate?,Core Well-Architected Review,Core Well-Architected Review,,,, -WAF Configuration,What workload type do you want to evaluate?,Azure Machine Learning (Preview),,,,, -WAF Configuration,What workload type do you want to evaluate?,Data Services,,,,, -WAF Configuration,Which pillars do you want to evaluate?,Reliability,Reliability,,,, -WAF Configuration,Which pillars do you want to evaluate?,Security,Security,,,, -WAF Configuration,Which pillars do you want to evaluate?,Cost,Cost,,,, -WAF Configuration,Which pillars do you want to evaluate?,Operational Excellence,Operational Excellence,,,, -WAF Configuration,Which pillars do you want to evaluate?,Performance,Performance,,,, -Reliability,What reliability targets and metrics have you defined for your application?,Recovery targets to identify how long the workload can be unavailable (Recovery Time Objective) and how much data is acceptable to lose during a disaster (Recovery Point Objective).,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs).,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,Availability metrics to measure and monitor availability such as Mean Time To Recover (MTTR) and Mean Time Between Failure (MTBF).,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,Composite SLA for the workload derived using the Azure SLAs for all relevant resources.,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,SLAs for all internal and external dependencies.,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,Independent availability and recovery targets for critical application subsystems and scenarios.,,,,, -Reliability,What reliability targets and metrics have you defined for your application?,None of the above.,None of the above.,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across multiple regions.,,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Removed all single points of failure by running multiple instances of application components.,,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Deployed the application across Availability Zones within a region.,,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Performed Failure Mode Analysis (FMA) to identify fault-points and fault-modes.,,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for component level faults to minimize application downtime.,Planned for component level faults to minimize application downtime.,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,Planned for dependency failures to minimize application downtime.,Planned for dependency failures to minimize application downtime.,,,, -Reliability,How have you ensured that your application architecture is resilient to failures?,None of the above.,None of the above.,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Built a capacity model for the application ,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Planned for expected usage patterns.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Azure service availability in required regions.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Confirmed Availability Zones are available in required regions.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated required capacity is within Azure service scale limits and quotas.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Validated all APIs/SDKs against target run-times and languages for required functionality.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,Aligned with Azure roadmaps for required preview services and capabilities.,,,,, -Reliability,How have you ensured required capacity and services are available in targeted regions?,None of the above.,None of the above.,,,, -Reliability,How are you handling disaster recovery for this workload?,Application is available across multiple regions in an active-active configuration.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Traffic is routable to the application in the case of a regional failure.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a backup strategy in alignment with recovery targets.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Failover and failback steps and processes are automated.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Successfully tested and validated the failover and failback approach at least once.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Decomposed the application into distinct subsystems with independent disaster recovery strategies.,,,,, -Reliability,How are you handling disaster recovery for this workload?,Network connectivity redundancy for on premise data/application sources.,,,,, -Reliability,How are you handling disaster recovery for this workload?,None of the above.,None of the above.,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application processes are stateless.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Session state is non-sticky and externalized to a data store.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application configuration is treated as code and deployed with the application.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform services are running in a highly available configuration/SKU.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across Availability Zones or Availability Sets.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Leveraged platform services are Availability Zone aware.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Application platform components are deployed across multiple active regions.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Load balancing is implemented to distribute traffic across multiple nodes.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Health probes are implemented to check the health of application components and compound application health.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Queuing and reliable messaging patterns are used to integrate application tiers.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Client traffic can be routed to the application in the case of region/zone/network outages.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,Procedures to scale out application platform components are automated.,,,,, -Reliability,What decisions have been taken to ensure the application platform meets your reliability requirements?,None of the above.,None of the above.,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data types are categorized by data consistency requirements.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data platform services are running in a highly available configuration/SKU.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across multiple regions.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is replicated across Availability Zones.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data is backed-up on zone/geo-redundant storage.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Active geo-replication is used for data platform components such as storage and databases.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Application traffic can be routed to data stores in the case of region/zone/network outages.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Read operations are segregated from update operations.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Load balancer health probes assess data platform components.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been defined to ensure consistent application state when data is corrupted or deleted.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,Data restore processes have been validated and tested to ensure consistent application state when data is corrupted or deleted.,,,,, -Reliability,What decisions have been taken to ensure the data platform meets your reliability requirements?,None of the above.,None of the above.,,,, -Reliability,How does your application logic handle exceptions and errors?,Have a method to handle faults that might take a variable amount of time to recover from.,,,,, -Reliability,How does your application logic handle exceptions and errors?,Request timeouts are configured to manage inter-component calls.,,,,, -Reliability,How does your application logic handle exceptions and errors?,"Retry logic is implemented to handle transient failures, with appropriate back-off strategies to avoid cascading failures.",,,,, -Reliability,How does your application logic handle exceptions and errors?,The application is instrumented with semantic logs and metrics.,,,,, -Reliability,How does your application logic handle exceptions and errors?,None of the above.,None of the above.,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,All single points of failure have been eliminated from application communication flows.,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Health probes are configured for Azure Load Balancer(s) to assess application traffic flows and compound health.,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Azure Load Balancer Standard or Zone redundant application gateways are used to load balance traffic across Availability Zones.,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Redundant connections from different locations are used for cross-premises connectivity (ExpressRoute or VPN).,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,A failure path has been simulated for cross-premises connectivity.,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,Zone redundant gateways are used for cross-premises connectivity (ExpressRoute or VPN).,,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,"Network traffic is monitored, and a response plan is in place to address network outages.",,,,, -Reliability,What decisions have been taken to ensure networking and connectivity meets your reliability requirements?,None of the above.,None of the above.,,,, -Reliability,What reliability allowances for scalability and performance have you made?,The application has dedicated cross-premises bandwidth.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Components with sensitive latency requirements are collocated.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Gateways (ExpressRoute or VPN) have been sized according to expected cross-premises network throughput.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Expected throughput passing through security/network appliances has been tested and autoscaling is configured based on throughput requirements.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Autoscaling has been tested and the time to scale in/out has been measured.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Tested and validated defined latency and defined throughput targets per scenario and component.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Operational procedures are defined in case data sizes exceed limits.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Validated that long-running TCP connections are not required for the workload.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,Throttling is implemented to govern inbound application calls and inter-component calls.,,,,, -Reliability,What reliability allowances for scalability and performance have you made?,None of the above.,None of the above.,,,, -Reliability,What reliability allowances for security have you made?,The identity provider (AAD/ADFS/AD/Other) is highly available and aligns with application availability and recovery targets.,,,,, -Reliability,What reliability allowances for security have you made?,"All external application endpoints are secured? i.e. Firewall, WAF, DDoS Protection Standard Plan, etc.",,,,, -Reliability,What reliability allowances for security have you made?,Communication to Azure PaaS services secured using Virtual Network Service Endpoints or Private Link.,,,,, -Reliability,What reliability allowances for security have you made?,Keys and secrets are backed-up to geo-redundant storage.,,,,, -Reliability,What reliability allowances for security have you made?,The process for key rotation is automated and tested,,,,, -Reliability,What reliability allowances for security have you made?,Emergency access break glass accounts have been tested and secured for recovering from Identity provider failure scenarios.,,,,, -Reliability,What reliability allowances for security have you made?,None of the above.,None of the above.,,,, -Reliability,What reliability allowances for operations have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,,,, -Reliability,What reliability allowances for operations have you made?,Application deployments can be rolled-back and rolled-forward through automated deployment pipelines.,,,,, -Reliability,What reliability allowances for operations have you made?,The lifecycle of the application is decoupled from its dependencies.,,,,, -Reliability,What reliability allowances for operations have you made?,The time it takes to deploy an entire production environment is tested and validated.,,,,, -Reliability,What reliability allowances for operations have you made?,None of the above.,None of the above.,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,The application is tested against critical Non-Functional requirements for performance.,,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Load Testing is conducted with expected peak volumes to test scalability and performance under load.,,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Chaos Testing is performed by injecting faults.,,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Tests are automated and carried out periodically or on-demand.,,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,Critical test environments have 1:1 parity with the production environment.,,,,, -Reliability,How do you test the application to ensure it is fault tolerant?,None of the above.,None of the above.,,,, -Reliability,How do you monitor and measure application health?,The application is instrumented with semantic logs and metrics.,,,,, -Reliability,How do you monitor and measure application health?,Application logs are correlated across components.,,,,, -Reliability,How do you monitor and measure application health?,All components are monitored and correlated with application telemetry.,,,,, -Reliability,How do you monitor and measure application health?,"Key metrics, thresholds, and indicators are defined and captured.",,,,, -Reliability,How do you monitor and measure application health?,"A health model has been defined based on performance, availability, and recovery targets and is represented through monitoring dashboard and alerts.",,,,, -Reliability,How do you monitor and measure application health?,Azure Service Health events are used to alert on applicable Service level events.,,,,, -Reliability,How do you monitor and measure application health?,Azure Resource Health events are used to alert on resource health events.,,,,, -Reliability,How do you monitor and measure application health?,Monitor long-running workflows for failures.,,,,, -Reliability,How do you monitor and measure application health?,None of the above.,None of the above.,,,, -Security,Have you done a threat analysis of your workload?,"Threat modeling processes are adopted, identified threats are ranked based on organizational impact, mapped to mitigations and communicated to stakeholders.",,,,, -Security,Have you done a threat analysis of your workload?,"There's a process to track, triage and address security threats in the application development cycle.",,,,, -Security,Have you done a threat analysis of your workload?,Timelines and processess are established to deploy mitigations (security fixes) for identified threats.,,,,, -Security,Have you done a threat analysis of your workload?,Security requirements are defined for this workload.,,,,, -Security,Have you done a threat analysis of your workload?,Threat protection was addressed for this workload.,,,,, -Security,Have you done a threat analysis of your workload?,"Security posture was evaluated with standard benchmarks (CIS Control Framework, MITRE framework etc.).",,,,, -Security,Have you done a threat analysis of your workload?,"Business critical workloads, which may adversely affect operations if they are compromised or become unavailable, were identified and classified.",,,,, -Security,Have you done a threat analysis of your workload?,None of the above.,None of the above.,,,, -Security,What considerations for compliance and governance did you make in this workload?,Regulatory and governance requirements of this workload are known and well understood.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Landing Zone concept is implemented for this workload using Azure Blueprints and/or Azure Policies.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Azure Policies are used to enforce and control security and organizational standards.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Root management group is used and any changes that are applied using this group are carefully considered.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Compliance for this workload is systematically monitored and maintained. Regular compliance attestations are performed.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,External or internal audits of this workload are performed periodically.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Security plan for this workload was developed and is maintained.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,"Best practices and guidelines, based on industry recommendations, are reviewed and applied proactively.",,,,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker vs. defender costs are considered when implementing defenses. Easy and cheap attack methods are always prevented.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,Attacker access containment is considered when making investments into security solutions.,,,,, -Security,What considerations for compliance and governance did you make in this workload?,None of the above.,None of the above.,,,, -Security,What practices and tools have you implemented as part of the development cycle?,"A list of dependencies, frameworks and libraries used by this workload is maintained and updated regularly.",,,,, -Security,What practices and tools have you implemented as part of the development cycle?,Framework and library updates are included into the workload lifecycle.,,,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Technologies and frameworks used in this workload are fully understood, including their vulnerabilities.",,,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Security updates to VMs are applied in a timely manner, and strong passwords exist on those VMs for any local administrative accounts that may be in use.",,,,, -Security,What practices and tools have you implemented as part of the development cycle?,All cloud services used by this workload are identified and it is understood how to configure them securely.,,,,, -Security,What practices and tools have you implemented as part of the development cycle?,"Personally identifiable information (PII) is detected and removed/obfuscated automatically for this workload, including application logs.",,,,, -Security,What practices and tools have you implemented as part of the development cycle?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -Security,What practices and tools have you implemented as part of the development cycle?,Elevated security capabilities such as dedicated Hardware Security Modules (HSMs) or the use of Confidential Computing was implemented or considered implementing?,,,,, -Security,What practices and tools have you implemented as part of the development cycle?,None of the above.,None of the above.,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Formal DevOps approach to building and maintaining software in this workload was adopted.,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"DevOps security guidance based on industry lessons-learned, and available automation tools (OWASP guidance, Microsoft toolkit for Secure DevOps etc.) is leveraged.",,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Gates and approvals are configured in DevOps release process of this workload.,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Security team is involved in planning, design and the rest of DevOps process of this workload.",,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Deployments are automated and it's possible to deploy N+1 and N-1 version (where N is the current production).,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Code scanning tools are integrated as part of the continuous integration (CI) process for this workload and cover also 3rd party dependencies.,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Credentials, certificates and other secrets are managed in a secure manner inside of CI/CD pipelines.",,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,"Branch policies are used in source control management, main branch is protected and code reviews are required.",,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,Security controls are applied to all self-hosted build agents used by this workload (if any).,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,CI/CD roles and permissions are clearly defined for this workload.,,,,, -Security,Have you adopted a formal secure DevOps approach to building and maintaining software?,None of the above.,None of the above.,,,, -Security,Is the workload developed and configured in a secure way?,Cloud services are used for well-established functions instead of building custom service implementations.,,,,, -Security,Is the workload developed and configured in a secure way?,Detailed error messages and verbose information are hidden from the end user/client applications. Exceptions in code are handled gracefully and logged.,,,,, -Security,Is the workload developed and configured in a secure way?,Platform specific information (e.g. web server version) is removed from server-client communication channels.,,,,, -Security,Is the workload developed and configured in a secure way?,CDN (content delivery network) is used to separate the hosting platform and end-users/clients.,,,,, -Security,Is the workload developed and configured in a secure way?,"Application configuration is stored using a dedicated configuration management system (Azure App Configuration, Azure Key Vault etc.)",,,,, -Security,Is the workload developed and configured in a secure way?,"Access to data storage is identity-based, whenever possible.",,,,, -Security,Is the workload developed and configured in a secure way?,Authentication tokens are cached securely and encrypted when sharing across web servers.,,,,, -Security,Is the workload developed and configured in a secure way?,There are controls in place for this workload to detect and protect from data exfiltration.,,,,, -Security,Is the workload developed and configured in a secure way?,None of the above.,None of the above.,,,, -Security,How are you monitoring security-related events in this workload?,Tools like Azure Security Center are used to discover and remediate common risks within Azure tenants.,,,,, -Security,How are you monitoring security-related events in this workload?,A central SecOps team monitors security related telemetry data for this workload.,,,,, -Security,How are you monitoring security-related events in this workload?,The security team has read-only access into all cloud environment resources for this workload.,,,,, -Security,How are you monitoring security-related events in this workload?,"The security team has access to and monitor all subscriptions and tenants that are connected to the existing cloud environment, relative to this workload.",,,,, -Security,How are you monitoring security-related events in this workload?,Identity related risk events related to potentially compromised identities are actively monitored.,,,,, -Security,How are you monitoring security-related events in this workload?,"Communication, investigation and hunting activities are aligned with the workload team.",,,,, -Security,How are you monitoring security-related events in this workload?,Periodic & automated access reviews of the workload are conducted to ensure that only authorized people have access?,,,,, -Security,How are you monitoring security-related events in this workload?,Cloud application security broker (CASB) is leveraged in this workload.,,,,, -Security,How are you monitoring security-related events in this workload?,A designated point of contact was assigned for this workload to receive Azure incident notifications from Microsoft.,,,,, -Security,How are you monitoring security-related events in this workload?,None of the above.,None of the above.,,,, -Security,How is security validated and how do you handle incident response when breach happens?,"For containerized workloads, Azure Defender (Azure Security Center) or other third-party solution is used to scan for vulnerabilities.",,,,, -Security,How is security validated and how do you handle incident response when breach happens?,Penetration testing is performed in-house or a third-party entity performs penetration testing of this workload to validate the current security defenses.,,,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Simulated attacks on users of this workload, such as phishing campaigns, are carried out regularly.",,,,, -Security,How is security validated and how do you handle incident response when breach happens?,Operational processes for incident response are defined and tested for this workload.,,,,, -Security,How is security validated and how do you handle incident response when breach happens?,"Playbooks are built to help incident responders quickly understand the workload and components, to mitigate an attack and do an investigation.",,,,, -Security,How is security validated and how do you handle incident response when breach happens?,There's a security operations center (SOC) that leverages a modern security approach.,,,,, -Security,How is security validated and how do you handle incident response when breach happens?,A security training program is developed and maintained to ensure security staff of this workload are well-informed and equipped with the appropriate skills.,,,,, -Security,How is security validated and how do you handle incident response when breach happens?,None of the above.,None of the above.,,,, -Security,How is connectivity secured for this workload?,"Services used by this workload, which should not be accessible from public IP addresses, are protected with network restrictions / IP firewall rules.",,,,, -Security,How is connectivity secured for this workload?,Service Endpoints or Private Links are used for accessing Azure PaaS services.,,,,, -Security,How is connectivity secured for this workload?,Azure Firewall or any 3rd party next generation firewall is used for this workload to control outgoing traffic of Azure PaaS services (data exfiltration protection) where Private Link is not available.,,,,, -Security,How is connectivity secured for this workload?,Network security groups (NSG) are used to isolate and protect traffic within the workloads VNet.,,,,, -Security,How is connectivity secured for this workload?,NSG flow logs are configured to get insights about incoming and outgoing traffic of this workload.,,,,, -Security,How is connectivity secured for this workload?,"Access to the workload backend infrastructure (APIs, databases, etc.) is restricted to only a minimal set of public IP addresses - only those who really need it.",,,,, -Security,How is connectivity secured for this workload?,Identified groups of resources are isolated from other parts of the organization to aid in detecting and containing adversary movement within the enterprise.,,,,, -Security,How is connectivity secured for this workload?,"All public endpoints of this workload are protected/secured with appropriate solution (i.e. Azure Front Door, Azure Firewall...).",,,,, -Security,How is connectivity secured for this workload?,"Publishing methods for this workload (e.g FTP, Web Deploy) are protected.",,,,, -Security,How is connectivity secured for this workload?,Code is published to this workload using CI/CD process instead of manually.,,,,, -Security,How is connectivity secured for this workload?,"Workload virtual machines running on premises or in the cloud don't have direct internet connectivity for users that may perform interactive logins, or by applications running on virtual machines.",,,,, -Security,How is connectivity secured for this workload?,There's a capability and plans in place to mitigate DDoS attacks for this workload.,,,,, -Security,How is connectivity secured for this workload?,None of the above.,None of the above.,,,, -Security,How have you secured the network of your workload?,"There's a designated group within the organization, which is responsible for centralized network management security of this workload.",,,,, -Security,How have you secured the network of your workload?,"There are controls in place to ensure that security extends past the network boundaries of the workload in order to effectively prevent, detect, and respond to threats.",,,,, -Security,How have you secured the network of your workload?,Enhanced network visibility is enabled by integrating network logs into a Security information and event management (SIEM) solution or similar technology.,,,,, -Security,How have you secured the network of your workload?,Cloud virtual networks are designed for growth based on an intentional subnet security strategy.,,,,, -Security,How have you secured the network of your workload?,"This workload has a security containment strategy that blends existing on-premises security controls and practices with native security controls available in Azure, and uses a zero-trust approach.",,,,, -Security,How have you secured the network of your workload?,Legacy network security controls for data loss prevention were deprecated.,,,,, -Security,How have you secured the network of your workload?,"Traffic between subnets, Azure components and tiers of the workload is managed and protected.",,,,, -Security,How have you secured the network of your workload?,None of the above.,None of the above.,,,, -Security,How are you managing encryption for this workload?,The workload uses industry standard encryption algorithms instead of creating own.,,,,, -Security,How are you managing encryption for this workload?,The workload communicates over encrypted (TLS / HTTPS) network channels only.,,,,, -Security,How are you managing encryption for this workload?,TLS 1.2 or 1.3 is used by default across this workload.,,,,, -Security,How are you managing encryption for this workload?,Secure modern hashing algorithms (SHA-2 family) are used.,,,,, -Security,How are you managing encryption for this workload?,Data at rest is protected with encryption.,,,,, -Security,How are you managing encryption for this workload?,Data in transit is encrypted.,,,,, -Security,How are you managing encryption for this workload?,Virtual disk files for virtual machines which are associated with this workload are encrypted.,,,,, -Security,How are you managing encryption for this workload?,None of the above.,None of the above.,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",There's a clear guidance or requirement on what type of keys (PMK - Platform Managed Keys vs. CMK - Customer Managed Keys) should be used for this workload.,,,,, -Security,"Are keys, secrets and certificates managed in a secure way?","Passwords and secrets are managed outside of application artifacts, using tools like Azure Key Vault.",,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Access model for keys and secrets is defined for this workload.,,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",A clear responsibility / role concept for managing keys and secrets is defined for this workload.,,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Secret/key rotation procedures are in place.,,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",Expiry dates of SSL/TLS certificates are monitored and there are renewal processes in place.,,,,, -Security,"Are keys, secrets and certificates managed in a secure way?",None of the above.,None of the above.,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are tools and processes in place to grant just-in-time access.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,No user accounts have long-standing write access to production environments.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Appropriate emergency access accounts are configured for this workload in case of an emergency.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Lines of responsibility and designated responsible parties were clearly defined for specific functions in Azure.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,The application team has a clear view on responsibilities and individual/group access levels for this workload.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Workload infrastructure is protected with role-based access control (RBAC).,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Resource locks are leveraged to protect critical infrastructure of this workload.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,"Direct access to the infrastructure through Azure Portal, command-line Interface (CLI) or REST API is limited and CI/CD is preferred.",,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,Permissions to Azure workloads are rarely based on individual resources and custom permissions are rarely used.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There are processes and tools being used to manage privileged activities. Long standing administrative access is avoided whenever possible.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,There is a lifecycle management policy for critical accounts in this workload and privileged accounts are reviewed regularly.,,,,, -Security,What security controls do you have in place for access to Azure infrastructure?,None of the above.,None of the above.,,,, -Security,How are you managing identity for this workload?,When communicating with Azure platform services managed identities are preferred over API keys and connection strings.,,,,, -Security,How are you managing identity for this workload?,All APIs in this workload require clients to authenticate.,,,,, -Security,How are you managing identity for this workload?,"Modern authentication protocols (OAuth 2.0, OpenID) are used by this workload.",,,,, -Security,How are you managing identity for this workload?,"Azure Active Directory or other managed identity provider (Microsoft Account, Azure B2C etc.) is used for user authentication.",,,,, -Security,How are you managing identity for this workload?,Authentication via identity services is prioritized for this workload vs. cryptographic keys.,,,,, -Security,How are you managing identity for this workload?,Conditional access policies are implemented for users of this workload.,,,,, -Security,How are you managing identity for this workload?,Password-less or multi-factor authentication (MFA) is enforced for users of this workload.,,,,, -Security,How are you managing identity for this workload?,Current on-premises Active Directory is synchronized with Azure AD or other cloud identity system.,,,,, -Security,How are you managing identity for this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cloud costs are being modelled for this workload.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The price model of the workload is clear.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Critical system flows through the application have been defined for all key business scenarios.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,There is a well-understood capacity model for the workload.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Internal and external dependencies are identified and cost implications understood.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Cost implications of each Azure service used by the application are understood.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,The right operational capabilities are used for Azure services.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Special discounts given to services or licenses are factored in when calculating new cost models for services being moved to the cloud.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,Azure Hybrid Use Benefit is used to drive down cost in the cloud.,,,,, -Cost Optimization,How are you modeling cloud costs of this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budgets are assigned to all services in this workload.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a cost owner for every service used by this workload.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Cost forecasting is done to ensure it aligns with the budget.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a monthly or yearly meeting where the budget is reviewed.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a target end-date.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Every environment has a plan for migrating to PaaS or serverless to lower the all up cost and transfer risk.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a clear understanding of how budget is defined.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Budget is factored into the building phase.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is an ongoing conversation between the app owner and the business.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,There is a plan to modernize the workload.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Azure Tags are used to enrich Azure resources with operational metadata.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,The application has a well-defined naming standard for Azure resources.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,,,, -Cost Optimization,How do you govern budgets and application lifespan for this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How are you monitoring costs of this workload?,Alerts are set for cost thresholds and limits.,,,,, -Cost Optimization,How are you monitoring costs of this workload?,Specific owners and processes are defined for each alert type.,,,,, -Cost Optimization,How are you monitoring costs of this workload?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,,,, -Cost Optimization,How are you monitoring costs of this workload?,Cost Management Tools (such as Azure Cost Management) are being used to track spending in this workload.,,,,, -Cost Optimization,How are you monitoring costs of this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you optimize the design of this workload?,The application was built natively for the cloud.,,,,, -Cost Optimization,How do you optimize the design of this workload?,There is an availability strategy defined and cost implications of it are understood.,,,,, -Cost Optimization,How do you optimize the design of this workload?,This workload benefits from higher density.,,,,, -Cost Optimization,How do you optimize the design of this workload?,Data is being transferred between regions.,,,,, -Cost Optimization,How do you optimize the design of this workload?,Multi-region deployment is supported and cost implications understood.,,,,, -Cost Optimization,How do you optimize the design of this workload?,The workload is designed to use Availability Zones within a region.,,,,, -Cost Optimization,How do you optimize the design of this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Performance requirements are well-defined.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Targets for the time it takes to perform scale operations are defined and monitored.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The workload is designed to scale independently.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,The application has been designed to scale both in and out.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Application components and data are split into groups as part of your disaster recovery strategy.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Tools (such as Azure Advisor) are being used to optimise SKUs discovered in this workload.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Resources are reviewed weekly or bi-weekly for optimization.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Cost-effective regions are considered as part of the deployment selection.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Dev/Test offerings are used correctly.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,Shared hosting platforms are used correctly.,,,,, -Cost Optimization,How do you ensure that cloud services are appropriately provisioned?,None of the above.,None of the above.,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is an automated process to deploy application releases to production.,,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is a difference in configuration for production and non-production environments.,,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,Test-environments are deployed automatically and deleted after use.,,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,There is awareness regarding the ratio of cost of production and non-production environments for this workload.,,,,, -Cost Optimization,What considerations for DevOps practices are you making in this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate SKUs are used for workload servers.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,Appropriate operating systems are used in the workload.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,A recent review of SKUs that could benefit from Reserved Instances for 1 or 3 years or more has been performed.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,Burstable (B) series VM sizes are used for VMs that are idle most of the time and have high usage only in certain periods.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,VM instances which are not used are shut down.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,Spot virtual machines are used.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,PaaS is used as an alternative to buying virtual machines.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,Costs are optimized by using the App Service Premium (v3) plan over the Premium (Pv2) plan.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,Zone to Zone disaster recovery is used for virtual machines.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,The Start/Stop feature in Azure Kubernetes Services (AKS) is used.,,,,, -Cost Optimization,How do you manage compute costs for this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you manage networking costs for this workload?,Service Endpoints or Private Link are used for accessing Azure PaaS services.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,Hub and spoke design pricing is understood.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,Microsoft backbone network is preferred.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,DDoS attack mitigation plans and capabilities are in place.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,"Azure Front Door, Azure App Gateway or Web Application Firewall is used.",,,,, -Cost Optimization,How do you manage networking costs for this workload?,The workload is connected between regions (using network peering or gateways).,,,,, -Cost Optimization,How do you manage networking costs for this workload?,Azure resources are connecting to the internet via on-premises.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,Public IPs and orphaned NICs are regularly cleaned up.,,,,, -Cost Optimization,How do you manage networking costs for this workload?,None of the above.,None of the above.,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved capacity is used for data in block blob storage.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Data is organized into access tiers.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Life-cycle policy is used to move data between access tiers.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Shared disks are leveraged for suitable workloads.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Reserved premium disks (P30 & above) are used.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Bursting for P20 and below disks is utilized for suitable workloads.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,"For database workloads, data and log files are stored on separate disks.",,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,"Unused storage resources (e.g. unattached disks, old snapshots) are periodically cleaned up.",,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,Selective disk backup and restore for Azure VMs is used.,,,,, -Cost Optimization,How do you manage storage and data costs for this workload?,None of the above.,None of the above.,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Development and operations processes are connected to a Service Management framework like ISO or ITIL,,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,There is no separation between development and operations teams.,,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You have identified all broader teams responsible for operational aspects of the application and have established remediation plans with them for any issues that occur.,,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,Features and development tasks for the application are prioritized and executed on in a consistent fashion.,,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,You understand how the choices and desired configuration of Azure services are managed.,,,,, -Operational Excellence,Have you identified and planned out the roles and responsibilities to ensure your workload follows operational excellence best practices?,None of the above.,None of the above.,,,, -Operational Excellence,What design considerations for operations have you made?,You have documented any components that are on-premises or in another cloud.,,,,, -Operational Excellence,What design considerations for operations have you made?,Deployed the application across multiple regions.,,,,, -Operational Excellence,What design considerations for operations have you made?,Application is deployed across multiple regions in an active-passive configuration in alignment with recovery targets.,,,,, -Operational Excellence,What design considerations for operations have you made?,Application platform components are deployed across multiple active regions.,,,,, -Operational Excellence,What design considerations for operations have you made?,The workload is implemented with strategies for resiliency and self-healing.,,,,, -Operational Excellence,What design considerations for operations have you made?,All platform-level dependencies are identified and understood.,,,,, -Operational Excellence,What design considerations for operations have you made?,None of the above.,None of the above.,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs are defined for the application and key scenarios and monitored",,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Availability targets such as SLAs, SLIs and SLOs for all leveraged dependencies are understood and monitored",,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Recovery targets such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined for the application and key scenarios,,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,The consequences if availability and recovery targets are not satisfied are well understood,,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are targets defined for the time it takes to perform scale operations,,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,"Critical system flows through the application have been defined for all key business scenarios and have distinct availability, performance and recovery targets",,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,There are well defined performance requirements for the application and key scenarios,,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,Any application components which are less critical and have lower availability or performance requirements are well understood,,,,, -Operational Excellence,Have you defined key scenarios for your workload and how they relate to operational targets and non-functional requirements?,None of the above.,None of the above.,,,, -Operational Excellence,How are you monitoring your resources?,An Application Performance Management (APM) tool like Azure Application Insights is used to collect application level logs,,,,, -Operational Excellence,How are you monitoring your resources?,Application logs are collected from different application environments,,,,, -Operational Excellence,How are you monitoring your resources?,Log messages are captured in a structured format and can be indexed and searched,,,,, -Operational Excellence,How are you monitoring your resources?,Application events are correlated across all application components,,,,, -Operational Excellence,How are you monitoring your resources?,It is possible to evaluate critical application performance targets and non-functional requirements based on application logs and metrics,,,,, -Operational Excellence,How are you monitoring your resources?,End-to-end performance of critical system flows is monitored,,,,, -Operational Excellence,How are you monitoring your resources?,Black-box monitoring is used to measure platform services and the resulting customer experience.,,,,, -Operational Excellence,How are you monitoring your resources?,None of the above.,None of the above.,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,"A log aggregation technology, such as Azure Log Analytics or Splunk, is used to collect logs and metrics from Azure resources",,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Azure Activity Logs are collected within the log aggregation tool,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Resource-level monitoring is enforced throughout the application,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Logs and metrics are available for critical internal dependencies,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Log levels are used to capture different types of application events.,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,Critical external dependencies are monitored,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,There are no known gaps in application observability that led to missed incidents and/or false positives.,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,The workload is instrumented to measure customer experience.,,,,, -Operational Excellence,How do you interpret the collected data to inform about application health?,None of the above.,None of the above.,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,"Application and resource level logs are either aggregated in a single data sink, or it is possible to cross-query events at both levels",,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Application level events are automatically correlated with resource-level metrics to quantify the current application state,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the workload,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Critical system flows are used to inform the health model,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,The health model can distinguish between transient and non-transient faults,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Long-term trends are analysed to predict operational issues before they occur,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,Retention times for logs and metrics have been defined and with housekeeping mechanisms configured,,,,, -Operational Excellence,How do you visualize workload data and then alert relevant teams when issues occur?,None of the above.,None of the above.,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Grafana is used to visualize the application health model and encompassed logs and metrics,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,"Dashboards are tailored to a specific audience such as developers, security or networking teams",,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,A tool such as Azure Monitor or Splunk is used for alerting,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Specific owners and processes are defined for each alert type,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Operational events are prioritized based on business impact,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Push notifications are used to inform responsible parties of alerts in real time,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Alerting is integrated with an IT Service Management (ITSM) system such as ServiceNow,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Service Health alerts been created to respond to Service-level events.,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,Azure Resource Health alerts been created to respond to Resource-level events.,,,,, -Operational Excellence,How are you using Azure platform notifications and updates?,None of the above.,None of the above.,,,, -Operational Excellence,What is your approach to recovery and failover?,Recovery steps are defined and well understood for failover and failback,,,,, -Operational Excellence,What is your approach to recovery and failover?,The failover and failback approach has been tested/validated at least once,,,,, -Operational Excellence,What is your approach to recovery and failover?,The health model is being used to classify failover situations,,,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are in place for common failure events,,,,, -Operational Excellence,What is your approach to recovery and failover?,Automated recovery procedures are tested and validated on a regular basis,,,,, -Operational Excellence,What is your approach to recovery and failover?,Critical manual processes are defined and documented for failure responses.,,,,, -Operational Excellence,What is your approach to recovery and failover?,Manual operational runbooks are tested and validated on a regular basis,,,,, -Operational Excellence,What is your approach to recovery and failover?,None of the above.,None of the above.,,,, -Operational Excellence,How are scale operations performed?,There is a capacity model for the workload,,,,, -Operational Excellence,How are scale operations performed?,Auto-scaling is enabled for supporting PaaS and IaaS services,,,,, -Operational Excellence,How are scale operations performed?,The process to provision and de-provision capacity is codified,,,,, -Operational Excellence,How are scale operations performed?,The impact of changes in application health on capacity is fully understood,,,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is within Azure service scale limits and quotas,,,,, -Operational Excellence,How are scale operations performed?,It has been validated that the required capacity (initial and future growth) is available within targeted regions,,,,, -Operational Excellence,How are scale operations performed?,Capacity utilization is monitored and used to forecast future growth,,,,, -Operational Excellence,How are scale operations performed?,None of the above.,None of the above.,,,, -Operational Excellence,How are you managing the configuration of your workload?,You monitor and take advantage of new features and capabilities of underlying services used in your workload.,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Application configuration information is stored using a dedicated management system such as Azure App Configuration or Azure Key Vault,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Soft-Delete is enabled for your keys and credentials such as things stored in Key Vaults and Key Vault objects.,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Configuration settings can be changed or modified without rebuilding or redeploying the application,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Passwords and other secrets are managed in a secure store like Azure Key Vault or HashiCorp Vault,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Procedures are in place for key/secret rotation,,,,, -Operational Excellence,How are you managing the configuration of your workload?,The application uses Azure Managed Identities,,,,, -Operational Excellence,How are you managing the configuration of your workload?,The expiry dates of SSL certificates are monitored and there are processes in place to renew them,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Components are hosted on shared application or data platforms as appropriate.,,,,, -Operational Excellence,How are you managing the configuration of your workload?,Your workload takes advantage of multiple Azure subscriptions.,,,,, -Operational Excellence,How are you managing the configuration of your workload?,The workload is designed to leverage managed services.,,,,, -Operational Excellence,How are you managing the configuration of your workload?,None of the above.,None of the above.,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a systematic approach to the development and release process.,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application can be deployed automatically from scratch without any manual operations,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a documented process for any portions of the deployment that require manual intervention,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,N-1 or N+1 versions can be deployed via automated pipelines where N is current deployment version in production,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,There is a defined hotfix process which bypasses normal deployment procedures,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,The application deployment process leverages blue-green deployments and/or canary releases,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Releases to production are gated by having it successfully deployed and tested in other environments,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,Feature flags are used to test features before rolling them out to everyone,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your workload?,None of the above.,None of the above.,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The entire application infrastructure is defined as code,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,No operational changes are performed outside of infrastructure as code,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Configuration drift is tracked and addressed,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,The process to deploy infrastructure is automated,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Critical test environments have 1:1 parity with the production environment,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,Direct write access to infrastructure is not possible and all resources are provisioned or configured through IaC processes.,,,,, -Operational Excellence,What operational considerations are you making regarding the deployment of your infrastructure?,None of the above.,None of the above.,,,, -Operational Excellence,How are you managing and distributing your patches,You have a defined process to patch and update all relevant workload components.,,,,, -Operational Excellence,How are you managing and distributing your patches,You have a defined rollback strategy for patches.,,,,, -Operational Excellence,How are you managing and distributing your patches,There is an playbook to deploy emergency patches as needed.,,,,, -Operational Excellence,How are you managing and distributing your patches,None of the above.,None of the above.,,,, -Operational Excellence,How are you testing and validating your workload?,"The application is tested for performance, scalability, and resiliency",,,,, -Operational Excellence,How are you testing and validating your workload?,"Tests for performance, scalability, and resiliency are performed as part of each major change",,,,, -Operational Excellence,How are you testing and validating your workload?,At least a subset of tests is also performed in the production environment,,,,, -Operational Excellence,How are you testing and validating your workload?,Fault injection tests are being utilized,,,,, -Operational Excellence,How are you testing and validating your workload?,Smoke tests are performed during application deployments,,,,, -Operational Excellence,How are you testing and validating your workload?,Unit and integration testing is performed as part of the application deployment process,,,,, -Operational Excellence,How are you testing and validating your workload?,All these tests are automated and carried out periodically,,,,, -Operational Excellence,How are you testing and validating your workload?,Failing tests at least temporarily block a deployment and lead to a deeper analysis of what has happened,,,,, -Operational Excellence,How are you testing and validating your workload?,Business Continuity 'fire drills' are performed to test regional failover scenarios,,,,, -Operational Excellence,How are you testing and validating your workload?,Security and penetration testing is performed regularly,,,,, -Operational Excellence,How are you testing and validating your workload?,You regularly validate and update your tests to reflect any necessary changes.,,,,, -Operational Excellence,How are you testing and validating your workload?,Operational procedures are reviewed and refined regularly.,,,,, -Operational Excellence,How are you testing and validating your workload?,Mocks and stubs are used to test external dependencies in non-production environments.,,,,, -Operational Excellence,How are you testing and validating your workload?,None of the above.,None of the above.,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Specific methodologies, like DevOps, are used to structure the development and operations process",,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Collaboration between development and operations team to resolve production issue is clearly defined and well understood,,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Operational shortcomings and failures are analyzed and used to improve and refine operational procedures,,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools or processes in place, such as Azure AD Privileged Identity Management, to grant access to critical systems on a just in-time basis",,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,No users have long-standing write-access to production environments,,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,Azure Resource Tags are used to enrich resources with operational meta-data,,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"There are tools and processes, like Azure Policy, in place to govern available services, enforce mandatory operational functionality and ensure compliance",,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,"Standards, policies, restrictions and best practices are defined as code, for example by using solutions like Azure Policy or HashiCorp Sentinel",,,,, -Operational Excellence,What processes and procedures have you adopted to optimize workload operability?,None of the above.,None of the above.,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Error budgets used to track service reliability.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,There is a policy that governs what happens when the error budget is exhausted.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Availability targets such as Service Level Agreements (SLAs) and Service Level Objectives (SLOs) have been set.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The life-cycle of the application is decoupled from its dependencies.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application logs are correlated across components.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,The application is instrumented with semantic logs and metrics.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Validated required capacity is within Azure service scale limits and quotas.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Calculated target data sizes and associated growth rates per scenario and component.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Operational procedures are defined in case data sizes exceed limits.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Tested and validated defined latency and throughput targets per scenario and component.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Autoscaling is enabled for application components and integrated with Azure Monitor.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Defined a disaster recovery strategy to capture recovery steps for failover and failback.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Keys and secrets are backed-up to geo-redundant storage.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,Application can be automatically deployed to a new region without any manual operations to recover from disaster scenarios.,,,,, -Operational Excellence,What operational excellence allowances for reliability have you made?,None of the above.,None of the above.,,,, -Operational Excellence,What operational excellence allowances for cost have you made?, The application was built natively for the cloud.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The workload is designed to use Availability Zones within a region.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has been designed to scale both in and out.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Performance requirements are well-defined.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Critical system flows through the application have been defined for all key business scenarios.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Application Performance Management (APM) tools and log aggregation technologies are used to collect logs and metrics from Azure resources.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Role Based Access Control (RBAC) is used to control access to operational and financial dashboards and underlying data.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Specific owners and processes are defined for each alert type.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is an automated process to deploy application releases to production.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,There is awareness around how the application has been built and is being maintained (in house or via an external partner).,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,The application has a well-defined naming standard for Azure resources.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,Targets for the time it takes to perform scale operations are defined and monitored.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,All internal and external dependencies identified and categorized as either weak or strong.,,,,, -Operational Excellence,What operational excellence allowances for cost have you made?,None of the above.,None of the above.,,,, -Operational Excellence,What operational excellence allowances for security have you made?,Regulatory and governance requirements of this workload are known and well understood.,,,,, -Operational Excellence,What operational excellence allowances for security have you made?,There are tools and processes in place to grant just-in-time access.,,,,, -Operational Excellence,What operational excellence allowances for security have you made?,Appropriate emergency access accounts are configured for this workload.,,,,, -Operational Excellence,What operational excellence allowances for security have you made?,None of the above.,None of the above.,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The workload is deployed across multiple regions.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,"Regions were chosen based on location, proximity to users, and resource type availability.",,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Paired regions are used appropriately.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You have ensured that both (all) regions in use have the same performance and scale SKUs that are currently leveraged in the primary region.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Within a region the application architecture is designed to use Availability Zones.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application is implemented with strategies for resiliency and self-healing.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Component proximity is considered for application performance reasons.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,The application can operate with reduced functionality or degraded performance in the case of an outage.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You choose appropriate datastores for the workload during the application design.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,Your application is using a micro-service architecture.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,You understand where state will be stored for the workload.,,,,, -Performance Efficiency,What design considerations have you made for performance efficiency in your workload?,None of the above.,None of the above.,,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You are able to predict general application usage.,,,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,There are well-defined performance requirements for the workload and its key scenarios.,,,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,Targets for scale operations are defined.,,,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,You understand and have documented the expected maximum traffic volume before performance degradation occurs.,,,,, -Performance Efficiency,Have you identified the performance targets and non-functional requirements for your workload?,None of the above.,None of the above.,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,The workload can scale horizontally in response to changing load.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Have policies to scale in and scale down when the load decreases.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Configured scaling policies to use the appropriate metrics.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Automatically schedule autoscaling to add resources based on time of day trends.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,Autoscaling has been tested under sustained load.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,You have measured the time it takes to scale in and out.,,,,, -Performance Efficiency,How are you ensuring that your workload is elastic and responsive to changes?,None of the above.,None of the above.,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have a capacity model for the workload.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,Capacity utilization is monitored and used to forecast future growth.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,A process for provisioning and de-provisioning capacity has been established.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have enabled auto-scaling for all PaaS and IaaS services that support it.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You are aware of relevant Azure service limits and quotas.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,You have validated the SKU and configuration choices are appropriate for your anticipated loads.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,There is a strategy in place to manage events that may cause a spike in load.,,,,, -Performance Efficiency,How have you accounted for capacity and scaling requirements of your workload?,None of the above.,None of the above.,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using a Content Delivery Network.,,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are offloading SSL.,,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You are using authentication/token verification offloading.,,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated latency targets for key scenarios.",,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,"You have defined, tested, and validated throughput targets for key scenarios.",,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,You have identified all components that are sensitive to network latency.,,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,Dedicated bandwidth has been acquired where needed.,,,,, -Performance Efficiency,What considerations for performance efficiency have you made in your networking stack?,None of the above.,None of the above.,,,, -Performance Efficiency,How are you managing your data to handle scale?,You know the growth rate of your data.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,You have documented plans for data growth and retention.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,Design for eventual consistency.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,You are using database replicas and data partitioning (sharding) as appropriate.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,Minimize the load on the data store.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,Normalize the data appropriately.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,Optimize database queries and indexes.,,,,, -Performance Efficiency,How are you managing your data to handle scale?,None of the above.,None of the above.,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,There is a defined testing strategy.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Performance tests are performed regularly.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified the human and environmental resources needed to create performance tests.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are using appropriate tools to conduct performance tests on your workload.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You are testing all appropriate components for performance.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,You have identified all services being utilized in Azure (and on-premise) that need to be measured.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,Some tests are performed in production.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,The testing plan includes occasionally injecting faults.,,,,, -Performance Efficiency,How are you testing to ensure that you workload can appropriately handle user load?,None of the above.,None of the above.,,,, -Performance Efficiency,How are you benchmarking your workload?,You have identified goals or a baseline for workload performance.,,,,, -Performance Efficiency,How are you benchmarking your workload?,Performance goals are based on device and/or connectivity type as appropriate.,,,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined an initial connection goal for your workload.,,,,, -Performance Efficiency,How are you benchmarking your workload?,There is a goal defined for complete page load times.,,,,, -Performance Efficiency,How are you benchmarking your workload?,You have defined goals for an API (service) endpoint complete response.,,,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals defined for server response time.,,,,, -Performance Efficiency,How are you benchmarking your workload?,You have goals for latency between the systems & microservices of your workload.,,,,, -Performance Efficiency,How are you benchmarking your workload?,There are goals on database query efficiency.,,,,, -Performance Efficiency,How are you benchmarking your workload?,You have a methodology to determine what acceptable performance is.,,,,, -Performance Efficiency,How are you benchmarking your workload?,None of the above.,None of the above.,,,, -Performance Efficiency,How have you modeled the health of your workload?,Application and resource level logs are aggregated in a single data sink or able to be cross-queried.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,A health model is used to qualify what 'healthy' and 'unhealthy' states represent for the application.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,Critical system flows are used to inform the health model.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can distinguish between transient and non-transient faults.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,The health model can determine if the workload is performing at the expected targets.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,Retention times for logs and metrics been defined and housekeeping mechanisms are configured.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,Long-term trends are analyzed to predict performance issues before they occur.,,,,, -Performance Efficiency,How have you modeled the health of your workload?,None of the above.,None of the above.,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Track when resources scale in and out.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Have an overall monitoring strategy for scalability and performance.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application logs are collected from different application environments.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Logs are captured in a structured format.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor how much of an application is involved in serving a single request.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,Application events are correlated across all application components.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,"You have determined an acceptable operational margin between your peak utilization and the application's maximum load, and monitor for this.",,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You are aware of the appropriate metrics to monitor for performance tests under standard load.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,You monitor critical external dependencies for performance.,,,,, -Performance Efficiency,How are you monitoring to ensure the workload is scaling appropriately?,None of the above.,None of the above.,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have steps to troubleshoot database issues.,,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know how to handle high CPU or memory situations.,,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You know what to do when the application response times increase while not using all the CPU or memory allocated to the system.,,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You use profiling tools to profile your application code.,,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,You have a response plan for network performance problems that includes traffic capturing tools.,,,,, -Performance Efficiency,What common problems do you have steps to troubleshoot in your operations playbook?,None of the above.,None of the above.,,,, \ No newline at end of file