Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Acr Security Checklist - en

Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 28

FastTrack for Azure Checklist

Azure Container Registry Security Review

Main Area Sub Area


Security Network Security
Security Network Security
Security Network Security
Security Network Security
Security Identity and Access Contr
Security Identity and Access Contr
Security Data Protection
Security Data Protection
Security Data Protection
Security Identity and Access Contr
Security Identity and Access Contr
Security Identity and Access Contr
Security Logging and Monitoring
Security Identity and Access Contr
Security Data Protection
Security Identity and Access Contr
Security Vulnerability Managemen
Security Vulnerability Managemen
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Management Group an
Subscriptions
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
IP plan
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Virtual WAN
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hub and spoke
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
Hybrid
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
PaaS
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
Internet
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
App delivery
Network Topology and
Segmentation
Network Topology and
App delivery
Network Topology and
Segmentation
Network Topology and
Segmentation
Network Topology and
Segmentation
Network Topology and
Segmentation
Network Topology and
Segmentation
Network Topology and
Segmentation
Network Topology and
Encryption
Network Topology and
Encryption
Network Topology and
Encryption
Network Topology and
Inspection
Network Topology and
Inspection
Network Topology and
Inspection
Network Topology and
Inspection
Management and MoniMonitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Management and Moni
Monitoring
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Secrets
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Governance
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Security, Governance Security
Network Topology and Front Door
Security, Governance Front Door
Security, Governance Front Door
Operations Front Door
Operations Front Door
Network Topology and
Front Door
Security, Governance Front Door
Network Topology and
Front Door
Network Topology and
Front Door
Network Topology and
Front Door
Security, Governance Front Door
Security, Governance Front Door
Operations Front Door
Security, Governance Front Door
Security, Governance Front Door
Security, Governance Front Door
Security, Governance Front Door
Security, Governance Front Door
Security, Governance Front Door
Security, Governance Front Door
Management and Moni
Front Door
Management and Moni
Front Door
Checklist

istry Security Review

Checklist item
Control inbound network access with Private Link
Disable Public Network access
Use an Azure Container Registry SKU that supports Private Link (Premium SKU)
Enable Defender for Containers to scan Azure Container Registry for vulnerabilities
Use Managed Identities to connect instead of Service Principals
Disable local authentication for management plane access
Disable Azure Container Registry image export
Enable Azure Policies for Azure Container Registry
Sign and Verify containers with notation (Notary v2)
Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals
Disable Anonymous pull access
Disable repository-scoped access tokens
Enable diagnostics logging
Deploy images from a trusted environment
Encrypt registry with a customer managed key
Disable Azure ARM audience tokens for authentication
Deploy validated container images
Use up-to-date platforms, languages, protocols and frameworks
Enforce a platform management group under the root management group to support common platform policy a
Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN h
Enforce no subscriptions are placed under the root management group
Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC author
Enforce management groups under the root-level management group to represent the types of workloads, based
Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review
Ensure that all subscription owners and IT core team are aware of subscription resource limitations as part of wor
Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enfor
Enforce a dashboard, workbook, or manual process to monitor used capacity levels
Ensure required services and features are available within the chosen deployment regions
Enforce a process for cost management
If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host
Ensure tags are used for billing and cost management
Ensure no overlapping IP address spaces across Azure regions and on-premises locations
Ensure to use IP addresses from the address allocation for private internets (RFC 1918).
Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)
Ensure no public IP address range (CIDR block) for VNETs, especially if not owned by your organization
Avoid using overlapping IP address ranges for production and DR sites.
For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution. Crea
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructu
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred
Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual m
Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly des
Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a c
Use Virtual Hub Routing features to further segment traffic between VNets and branches.
Connect Virtual WAN hubs to on-premises datacenters by using ExpressRoute
Connect branches and remote locations to the nearest Virtual WAN hub via Site-to-Site VPN, or enable branch co
Connect users to the Virtual WAN hub via a Point-to-Site VPN.
Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via th
For outbound Internet traffic protection and filtering, deploy Azure Firewall
When deploying partner networking technologies and NVAs in VWAN, verify configuration with partner vendor's
Ensure that Azure Virtual WAN and Azure Firewall resources are created in the connectivity subscription.
Ensure that the network architecture is within the Azure Virtual WAN limits.
Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and
Consider a network design based on the traditional hub-and-spoke network topology for the following scenarios
Ensure that shared services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs
When deploying partner networking technologies or NVAs, follow the partner vendor's guidance
Do not deploy inbound L7 services such as Azure Application Gateway as a shared service in the central-hub virtu
If you need transit between ExpressRoute and VPN gateways, use Azure Route Server.
For network architectures with multiple hub-and-spoke topologies across Azure regions, use Global Virtual Netw
When you deploy a hub-and-spoke network architecture in two Azure regions and transit connectivity between a
Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.
When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits and the
Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.
When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with
Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Dir
When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable Fa
Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redunda
Use ExpressRoute Global Reach to connect large offices, regional headquarters, or datacenters connected to Azu
When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction
Monitor ExpressRoute availability and utilization using built-in Azure Monitor metrics.
Use Connection Monitor for connectivity monitoring across the environment.
Don't explicitly use ExpressRoute circuits from a single peering location. Doing so creates a single point of failure
If you need private communication to PaaS services, consider the different options available.
Azure PaaS services that have been injected into a virtual network still perform management plane operations by
Use Private Link, where available, for shared Azure PaaS services.
Access Azure PaaS services from on-premises via ExpressRoute private peering. This method avoids transiting ov
Use virtual network service endpoints when Private Link isn't available
Don't enable virtual network service endpoints by default on all subnets.
Don't use virtual network service endpoints when there are data exfiltration concerns, unless you use NVA filterin
Don't implement forced tunneling to enable communication from Azure to Azure resources.
Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/W
Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub
Create a global Azure Firewall policy to govern security posture across the global network environment and assig
Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use suc
Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet.
Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S co
When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in A
If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network
Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual n
Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are
Use a partner NVA if you can't use Application Gateway v2 for the security of HTTP/S apps.
Deploy Azure Application Gateway v2 or partner NVAs used for inbound HTTP/S connections within the landing-
Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.
Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions.
When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lo
Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.
If users only need access to internal applications, has Azure AD Application Proxy been considered as an alternati
Delegate subnet creation to the landing zone owner.
To reduce the number of firewall ports open for incoming connections in your network, consider using Azure AD
Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between la
The application team should use application security groups at the subnet-level NSGs to help protect multi-tier V
Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a cen
Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.
Use NSGs to selectively allow connectivity between landing zones.
For Virtual WAN topologies, route traffic across landing zones via Azure Firewall if the organization requires filter
When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level betwe
If traffic between Azure regions must be encrypted, use global VNet peering to connect virtual networks across re
For Virtual WAN scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a Virtu
Use Network Watcher packets to capture despite the limited capture window.
Evaluate whether the latest version of NSG flow logs provides the level of detail that you need.
Use partner solutions for scenarios that require deep packet inspection.
Don't develop a custom solution to mirror traffic. Although this approach might be acceptable for small-scale sce
Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access contro
Is the landing zone documented?
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write
Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organiz
Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit c
Use Update Management in Azure Automation as a long-term patching mechanism for both Windows and Linux
Use Network Watcher to proactively monitor traffic flows
Use resource locks to prevent accidental deletion of critical shared services.
Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assign
Include service and resource health events as part of the overall platform monitoring solution. Tracking service an
Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can b
Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in A
Use a centralized Azure Monitor Log Analytics workspace to collect logs and metrics from IaaS and PaaS applicat
Use Azure Monitor Logs for insights and reporting.
When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage
Use Azure Monitor alerts for the generation of operational alerts.
Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to rep
Ensure to use and test native PaaS service disaster recovery capabilities.
Use Azure-native backup capabilities. Verify that partner/customer is aware of Azure Backup and all new capabilit
Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting config
Use Azure Key Vault to store your secrets and credentials
Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for delete
Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to sp
Automate the certificate management and renewal process with public certificate authorities to ease administrati
Establish an automated process for key and certificate rotation.
Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key
Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within
Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant con
Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when
Use an Azure Key Vault per application per environment per region.
If you want to bring your own keys, this might not be supported across all considered services. Implement relevan
Leverage Azure Policy
Identify required Azure tags and use the append policy mode to enforce usage.
Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherit
Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required
Use Azure Policy to control resource provider registrations at the subscription and/or management group levels
Use built-in policies where possible to minimize operational overhead.
Assign the built-in Policy Contributor role at a particular scope to enable application-level governance.
Limit the number of Azure Policy assignments made at the root management group scope to avoid managing th
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a complia
Monitor VM security configuration drift via Azure Policy.
Use Azure AD reporting capabilities to generate access control audit reports.
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-t
Enable Defender for Cloud Standard for all subscriptions.
Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.
Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.
Determine the incident response plan for Azure services before allowing it into production.
Implement a zero-trust approach for access to the Azure platform, where appropriate.
Plan how new azure services will be implemented
Plan how service request will be fulfilled for Azure services
Avoid combining Azure Traffic Manager and Azure Front Door.
Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Fro
Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS req
Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certifica
If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce th
Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs
Enable the Azure Front Door WAF. Protect your application from a range of attacks.
Disable health probes when there’s only one origin in an Azure Front Door origin group.
Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of yo
Use HEAD health probes with Azure Front Door. Reduce the traffic that Front Door sends to your application.
Tune the Azure Front Door WAF for your workload. Reduce false positive detections.
Use prevention mode with the Azure Front Door WAF. Prevention mode ensures that the WAF blocks malicious re
Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new ruleset
Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.
Enable the Azure Front Door WAF bot management rules. The bot rules detect good and bad bots.
Use the latest Azure Front Door WAF ruleset versions. Ruleset updates are regularly updated to take account of th
Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending la
Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate tr
Geo-filter traffic by using the Azure Front Door WAF. Allow traffic only from expected regions, and block traffic fr
Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally b
Add diagnostic settings to save your Azure Front Door WAF's logs. Regularly review the logs to check for attacks
Send Azure Front Door logs to Microsoft Sentinel. Detect attacks and integrate Front Door telemetry into your ov
Description (optional) Severity Status
Service supports disabling public networ
Medium Not verified
Disable public network access if inbounMedium Not verified
Only the ACR Premium SKU supports Pri Medium Not verified
Azure Defender for containers or equivaLow Not verified
Use managed identities to secure ACRPu
High Not verified
The local Administrator account is dis High Not verified
Disable image export to prevent data exHigh Not verified
Enable audit compliance visibility by enHigh Not verified
The Azure Key Vault (AKV) is used to s High Not verified
Disable Administrator account and assigHigh Not verified
Disable anonymous pull/push access Medium Not verified
Token authentication doesn't support aHigh Not verified
Set up a diagnostic setting to send 'repMedium Not verified
Deploy container images to an ACR behi High Not verified
Azure Container Registry automatically Medium Not verified
Only tokens with an ACR audience can b Medium Not verified
Deploy trusted code that was validated Medium Not verified
Use the latest versions of supported p High Not verified
latform policy and Azure role assignment Medium Not verified
e Virtual WAN hub, private Domain Name System (D
Medium Not verified
Medium Not verified
re RBAC authorization in the management group hMedium Not verified
workloads, based on their security, compliance, conne
Medium Not verified
, budget review, policy compliance and remediate High Not verified
s as part of workload design sessions. Medium Not verified
t regions. Enforce the use of purchased Reserved High Not verified
High Not verified
Medium Not verified
High Not verified
group to host Windows Server Active Directory d Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
ample /16) Medium Not verified
Medium Not verified
Medium Not verified
resolution. Create a delegated zone for name resolMedium Not verified
DNS infrastructure (for example, Active Directory inMedium Not verified
their preferred DNS solution. Medium Not verified
for the virtual machines deployed within a virtual Medium Not verified
is explicitly described in the list of Virtual WAN r Medium Not verified
regions via a common global Azure Virtual WAN. Medium Not verified
Medium Not verified
Medium Not verified
nable branch connectivity to Virtual WAN via an Medium Not verified
Medium Not verified
re occurs via the Microsoft backbone network Medium Not verified
Medium Not verified
artner vendor's guidance to ensure there are no con
Medium Not verified
Medium Not verified
Medium Not verified
AN, status, and key metrics. Medium Not verified
owing scenarios: a network architecture deployed wi Medium Not verified
or partner NVAs in the central-hub virtual network. Medium Not verified
Medium Not verified
entral-hub virtual network. Instead, deploy them toMedium Not verified
Medium Not verified
al Virtual Network Peering to connect landing-zo Medium Not verified
tivity between all landing zones across regions is requ
Medium Not verified
Medium Not verified
g limits and the maximum number of prefixes that Medium Not verified
Medium Not verified
ze routing with BGP attributes, if certain paths are Medium Not verified
nd performance requirements. Medium Not verified
Medium Not verified
xpressRoute Direct. Medium Not verified
Gbps, enable FastPath to bypass the ExpressRoute Medium Not verified
y zone-redundant gateways (where available). Medium Not verified
nnected to Azure via ExpressRoute. Medium Not verified
nonproduction environments, use different ExpressRo
Medium Not verified
Medium Not verified
Medium Not verified
point of failure and makes the organization susce Medium Not verified
Medium Not verified
e operations by using public IP addresses. Ensure Medium Not verified
Medium Not verified
ds transiting over the public internet. Medium Not verified
Medium Not verified
Medium Not verified
use NVA filtering. Medium Not verified
Medium Not verified
ions, and East/West traffic filtering (if the organizatMedium Not verified
hubs or in hub virtual networks. Firewall ManagerMedium
is Not verified
ment and assign it to all Azure Firewall instances. AMedium Not verified
wants to use such solutions to help protect outbou Medium Not verified
Medium Not verified
ound HTTP/S connections to a landing zone. Medium Not verified
WAF policies in Azure Front Door. Lock down Azure Medium
Ap Not verified
virtual network and together with the apps that the
Medium Not verified
hin the virtual networks. Medium Not verified
Medium Not verified
and policies are enabled. Medium Not verified
Medium Not verified
in the landing-zone virtual network and with the ap
Medium Not verified
Medium Not verified
Azure regions. Medium Not verified
n Front Door. Lock down Application Gateway to rec
Medium Not verified
Medium Not verified
d as an alternative to Azure Virtual Desktop (AVD)?Low Not verified
Medium Not verified
using Azure AD Application Proxy to give remote use
Medium Not verified
affic between landing zones). Medium Not verified
tect multi-tier VMs within the landing zone. Medium Not verified
void using a central NVA to filter traffic flows. Medium Not verified
al traffic flows. Medium Not verified
Medium Not verified
n requires filtering and logging capabilities for tra Medium Not verified
two level between the organization's routers and Medium Not verified
tworks across regions. Medium Not verified
ect), use a Virtual WAN VPN gateway to establish IMedium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
small-scale scenarios, we don't encourage it at scaMedium Not verified
d access control (Azure RBAC), data sovereignty reMedium Not verified
Medium Not verified
ge with a write-once, read-many policy to make daMedium Not verified
enforce organization-wide settings to ensure consiMedium Not verified
guration audit capabilities through policy helps apMedium Not verified
dows and Linux VMs. Medium Not verified
Medium Not verified
Medium Not verified
zure role assignments ensures the appropriate guar
Low Not verified
cking service and resource health from the pla Medium Not verified
or issues can be actioned Medium Not verified
at data born in Azure stays in Azure. If on-premisesMedium
SI Not verified
d PaaS application resources and control log acce Medium Not verified
Medium Not verified
ion log storage. Medium Not verified
Medium Not verified
bles you to replicate workloads across regions. Medium Not verified
Medium Not verified
all new capabilities which greatly can simplify b Medium Not verified
d alerting configurations are applied Medium Not verified
High Not verified
its and restrict access to secrets. Medium Not verified
ction for deleted objects. Medium Not verified
ertificates to specialized custom Azure Active DirecMedium Not verified
ase administration. Medium Not verified
Medium Not verified
cess to the key vault. Medium Not verified
et usage within each instance of Key Vault. Medium Not verified
nt compliant configuration. Medium Not verified
ged keys when required. Medium Not verified
Medium Not verified
plement relevant mitigation so that inconsistenci Medium Not verified
High Not verified
Medium Not verified
Medium Not verified
igned at inherited scopes Medium Not verified
Medium Not verified
nt group levels Low Not verified
Medium Not verified
Medium Not verified
d managing through exclusions at inherited scopeMedium Not verified
nforce a compliant baseline VM configuration. Medium Not verified
Medium Not verified
Medium Not verified
rage for long-term storage beyond two years, if n Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
Medium Not verified
High Not verified
or, and from Front Door to your origin. High Not verified
o an HTTPS request automatically. Medium Not verified
due to certificate renewals. High Not verified
rsion. Reduce the risk of outages caused by manual
Medium Not verified
use subtle bugs. Medium Not verified
High Not verified
Low Not verified
t check all of your application's dependencies. Medium Not verified
application. Low Not verified
High Not verified
cks malicious requests. High Not verified
pt new ruleset versions and gain additional protectMedium Not verified
High Not verified
High Not verified
ke account of the current threat landscape. Medium Not verified
onally sending large amounts of traffic in a short peMedium Not verified
ng legitimate traffic, while still providing protect Medium Not verified
d block traffic from other regions. Low Not verified
d accidentally blocking legitimate requests when Medium Not verified
eck for attacks and for false positive detections. High Not verified
try into your overall Azure environment. Medium Not verified
Comment
More info Training Graph GUID
https://learn.microsoft.com/azure/container-registry/container-registry-private-link 21d41d25-00b7-407a-b9ea
https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-p
cd289ced-6b17-4db8-8554
https://learn.microsoft.com/azure/container-registry/container-registry-skus fc833934-8b26-42d6-ac5f
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introductionbad37dac-43bc-46ce-8d7a
https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity
8f42d78e-79dc-47b3-9bd2
https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity
be0e38ce-e297-411b-b363
https://learn.microsoft.com/azure/container-registry/data-loss-prevention ab91932c-9fc9-4d1b-a880
https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy d503547c-d447-4e82-9128
https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push
d345293c-7639-4637-a551
https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli387e5ced-126c-4d13-8af5
https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-acc
e338997e-41c7-47d7-acf6
https://learn.microsoft.com/en-gb/azure/container-registry/container-registry-authentication?tabs=azure-cli
698dc3a2-fd27-4b2e-8870
https://learn.microsoft.com/azure/container-registry/monitor-service 8a488cde-c486-42bc-9bd2
b3bec3d4-f343-47c1-936d
https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys 0bd05dc2-efd5-4d76-8d41
https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy
3a041fd3-2947-498b-8288
4451e1a2-d345-4293-a763
4e401955-387e-45ce-b126
https://docs.microso https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/
61623a76-5a91-47e1-b348
https://docs.microso https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/
8bbac757-1559-4ab9-853e
https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#sett
33b6b780-8b9f-4e5c-9104
https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#settin
74d00018-ac6a-49e0-8e6a
https://docs.microsoft.com/azure/governance/management-groups/overview 92481607-d5d1-4e4e-9146
https://docs.microsoft.com/azure/governance/management-groups/overview 49b82111-2df2-47ee-912e
https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
2dd69c5b-5c26-422f-94b6
https://docs.microsoft https://docs.microsoft.com/learn/paths/improve-reliability-modern-operations/
c68e1d76-6673-413b-9f56
https://docs.microsoft https://docs.microsoft.com/learn/paths/monitor-usage-performance-availability-reso
c773e7d2-6162-43a7-95a9
https://azure.microsofthttps://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/
4c27d42e-8bba-4c75-9155
https://docs.microsof https://docs.microsoft.com/learn/paths/control-spending-manage-bills/
ae28c84c-33b6-4b78-88b9
https://docs.microso https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/
3a923c34-74d0-4001-aac6
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/
5de32c19-9248-4160-9d5d
https://docs.microsoft https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
558fd772-49b8-4211-82df
https://docs.microsoft https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
3f630472-2dd6-49c5-a5c2
https://docs.microsoft https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
33aad5e8-c68e-41d7-9667
https://docs.microsoft https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
e984a859-c773-4e7d-8616
https://docs.microsoft https://docs.microsoft.com/learn/paths/az-104-manage-virtual-networks/
f348ef25-4c27-4d42-b8bb
https://docs.microsoft https://docs.microsoft.com/learn/paths/az-104-manage-virtual-networks/
153e8908-ae28-4c84-a33b
https://docs.microsoft https://docs.microsoft.com/learn/paths/az-104-manage-virtual-networks/
41049d40-3a92-43c3-974d
https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instan
1e6a83de-5de3-42c1-a924
https://docs.microsoft https://docs.microsoft.com/learn/paths/az-104-manage-virtual-networks/
614658d3-558f-4d77-849b
https://docs.microsoft https://docs.microsoft.com/learn/modules/introduction-azure-virtual-wan/
412e7f98-3f63-4047-82dd
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about 54b69bad-33aa-4d5e-ac68
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about 4f5664b5-e984-4a85-ac77
https://docs.microsoft https://docs.microsoft.com/learn/modules/configure-expressroute-virtual-wan/
65a917e1-f348-4ef2-94c2
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-hybrid-networking/
71559ab9-153e-4890-aae2
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-hybrid-networkin
08b9fe5c-4104-49d4-83a9
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about 8ac6a9e0-1e6a-483d-b5de
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
7d5d1e4e-6146-458d-9558
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about 12df27ee-412e-47f9-a3f6
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about b5c2622f-54b6-49ba-b33a
https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
6667313b-4f56-464b-9e98
https://docs.microsoft.com/azure/virtual-wan/azure-monitor-insights 261623a7-65a9-417e-8f34
https://docs.microsof https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
e8bbac75-7155-49ab-a153
https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute
7dd61623-a364-4a90-9eca
https://docs.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha e2e8abac-3571-4559-ab91
https://azure.microsoft.com/solutions/network-appliances/ 44ce3b1a-2808-4b9e-a1bf
https://docs.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-tr
ce463dbb-bc8a-4c2a-aebc
https://docs.microsoft https://docs.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks
cc881471-607c-41cc-a0e6
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressrout
37239b82-1112-4dbd-9eaf
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/
4722d929-c1b1-4cd6-81f5
https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?to
0e7c28ec-9366-4572-83b0
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
359c373e-7dd6-4162-9a36
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
f29812b2-363c-4efe-879b
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
d4cd21b0-8813-47f5-b6c4
https://docs.microsof https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
2447ec66-138a-4720-8f1c
https://docs.microsof https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
72e52e36-11cc-458b-9a4b
https://learn.microsof https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
c2299c4d-7b57-4d0c-9555
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
4d873974-8b66-42d6-b15f
https://docs.microsof https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
fe237de1-43b1-46c3-8d7a
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
8042d88e-79d1-47b7-9b22
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
b30e38c3-f298-412b-8363
https://docs.microsof https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
5bf68dc9-325e-4873-bf88
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
e0d5973c-d4cd-421b-8881
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-private-access-to-azure-
e504547c-2447-4ec6-9138
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn
d301d6e8-72e5-42e3-911c
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/e43a58a9-c229-49c4-b7b5
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/
b3e4563a-4d87-4397-98b6
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn
65498f6d-fe23-47de-843b
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn
4704489a-8042-4d88-b79d
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn
7e7a8ed4-b30e-438c-9f29
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn
179b599d-e0d5-4973-ad4c
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
e6c4cfd3-e504-4547-a244
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
0f1ce16e-d301-4d6e-a72e
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
5a4b1511-e43a-458a-ac22
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
655562f2-b3e4-4563-a4d8
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/d15f512a-6549-48f6-bfe2
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/1d7aa9b6-4704-4489-a804
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/3b22a5a6-7e7a-48ed-9b30
https://docs.microsoft https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
2363cefe-179b-4599-be0d
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
088137f5-e6c4-4cfd-9e50
https://docs.microsof https://docs.microsoft.com/learn/paths/secure-application-delivery/6138a720-0f1c-4e16-bd30
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/611cc58b-5a4b-4151-8e43
https://docs.microsof https://docs.microsoft.com/learn/paths/architect-network-infrastructure/
d7b57d0c-6555-462f-8b3e
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-application-delivery/48b662d6-d15f-4512-a654
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
143b16c3-1d7a-4a9b-9470
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
e79d17b7-3b22-4a5a-97e7
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
3f29812b-2363-4cef-b179
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
cd4cd21b-0881-437f-9e6c
https://docs.microsoft https://docs.microsoft.com/learn/modules/configure-azure-ad-application-proxy/
3b4b3e88-a459-4ed5-a22f
https://docs.microsof https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/
c2447ec6-6138-4a72-80f1
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-applications-external-access-azure
01ca7cf1-5754-442d-babb
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/
872e52e3-611c-4c58-a5a4
https://docs.microsof https://docs.microsoft.com/learn/paths/implement-network-security/9c2299c4-d7b5-47d0-a655
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/
a4d87397-48b6-462d-9d15
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/
dfe237de-143b-416c-91d7
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/
a8042d88-e79d-417b-93b2
https://docs.microsoft https://docs.microsoft.com/learn/paths/secure-networking-infrastructure/
4b30e38c-3f29-4812-a236
https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works de0d5973-cd4c-4d21-a088
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/
3e504547-c244-47ec-9613
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-network-security/
ed301d6e-872e-452e-9611
https://docs.microsoft https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/
1e43a58a-9c22-499c-9d7b
https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about 2b3e4563-a4d8-4739-948b
https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overviewa65498f6-dfe2-437d-b143
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-traffic-ins
64704489-a804-42d8-ae79
https://docs.microsof https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment
67e7a8ed-4b30-4e38-a3f2
e179b599-de0d-4597-9cd4
https://docs.microsof https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/
5e6c4cfd-3e50-4454-9c24
https://docs.microsof https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/
00f1ce16-ed30-41d6-b872
https://docs.microsoft https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/
e7d7e484-3276-4d8b-bc05
https://docs.microso https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-r
f9887952-5d62-4688-9d70
https://docs.microsof https://docs.microsoft.com/learn/modules/configure-network-watcher/
90483845-c986-4cb2-a131
https://docs.microsof https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/
541acdce-9793-477b-adb3
https://docs.microsoft.com/azure/governance/policy/overview a6e55d7d-8a2a-4db1-87d6
https://docs.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal
e5695f22-23ac-4e8c-a123
https://docs.microsoft.com/azure/azure-monitor/alerts/action-groups d5f345bf-97ab-41a7-819c
https://docs.microsoft.com/azure/sentinel/quickstart-onboard e3ab3693-829e-47e3-8618
https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment 9945bda4-3334-4f24-a116
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reportin
6944008b-e7d7-4e48-9327
https://docs.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview 619e8a13-f988-4795-85d6
https://docs.microsoft.com/azure/azure-monitor/alerts/alerts-overview 97be9951-9048-4384-9c98
https://docs.microsoft.com/azure/site-recovery/site-recovery-overview 2476e49f-541a-4cdc-b979
https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery b2ab13ad-a6e5-45d7-b8a2
https://docs.microsoft.com/azure/backup/backup-center-overview f625ca44-e569-45f2-823a
https://docs.microsoft.com/azure/architecture/best-practices/monitoring 859c3900-4514-41eb-b010
https://docs.microsoft.com/azure/key-vault/general/overview 5017f154-e3ab-4369-9829
https://docs.microsoft.com/azure/key-vault/general/overview-throttling a0477a20-9945-4bda-9333
https://docs.microsoft.com/azure/key-vault/general/best-practices 2ba52752-6944-4008-ae7d
https://docs.microsoft.com/azure/key-vault/general/best-practices dc055bcf-619e-48a1-9f98
https://docs.microsoft.com/azure/key-vault/general/best-practices 6d70ba6c-97be-4995-8904
https://docs.microsoft.com/azure/key-vault/general/best-practices 913156a1-2476-4e49-b541
https://docs.microsoft.com/azure/key-vault/general/best-practices cdb3751a-b2ab-413a-ba6e
https://docs.microsoft.com/azure/key-vault/general/monitor-key-vault 17d6326a-f625-4ca4-9e56
https://docs.microsoft.com/azure/key-vault/general/best-practices b12308ca-5017-4f15-9e3a
https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest 16183687-a047-47a2-8994
https://docs.microsoft.com/azure/key-vault/general/best-practices 91163418-2ba5-4275-8694
https://docs.microsoft.com/azure/key-vault/general/best-practices 25d62688-6d70-4ba6-a97b
https://docs.microsoft.com/azure/governance/policy/overview 5c986cb2-9131-456a-8247
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-taggin
e979377b-cdb3-4751-ab2a
https://docs.microsoft.com/azure/governance/policy/overview d8a2adb1-17d6-4326-af62
https://docs.microsoft.com/azure/governance/policy/overview 223ace8c-b123-408c-a501
https://docs.microsoft.com/azure/governance/policy/overview 3829e7e3-1618-4368-9a04
https://docs.microsoft.com/azure/governance/policy/overview 43334f24-9116-4341-a2ba
https://docs.microsoft.com/azure/governance/policy/overview be7d7e48-4327-46d8-adc0
https://docs.microsoft.com/azure/governance/policy/overview 3f988795-25d6-4268-a6d7
https://docs.microsoft.com/azure/governance/policy/overview 19048384-5c98-46cb-8913
https://docs.microsoft.com/azure/governance/policy/concepts/guest-configuration f541acdc-e979-4377-acdb
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-op
da6e55d7-d8a2-4adb-817d
https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports 4e5695f2-223a-4ce8-ab12
https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal 4e3ab369-3829-4e7e-9161
https://docs.microsoft.com/azure/security-center/ 09945bda-4333-44f2-9911
https://docs.microsoft.com/azure/security-center/ 15833ee7-ad6c-46d3-9331
https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment e5f8d79f-2e87-4768-924c
b86ad884-08e3-4727-94b8
https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response
https://www.microsoft.com/security/business/zero-trust 01365d38-e43f-49cc-ad86
9a19bf39-c95d-444c-9c89
https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response
ae514b93-3d45-485e-8112
https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response
062d5839-4d36-402f-bfa4
https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-fr
https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls 2e30abab-5478-417c-81bf
10aa45af-166f-44c4-9f36
https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection
af95c92d-d723-4f4a-98d7
https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates
f00a69de-7076-4734-a734
https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed
5efeb96a-003f-4b18-8fcd
https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-do
https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf 28b9ee82-b2c7-45aa-bc98
0b5a380c-4bfb-47bc-b1d7
https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only
5567048e-e5d7-4206-9c55
https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints
https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes a13f72f3-8f5c-4864-95e5
2902d8cc-1b0c-4495-afad
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune
17ba124b-127d-42b6-9322
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use
189ea962-3969-4863-8f5a
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#defi
49a98f2b-ec22-4a87-9415
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enabl
147a13d4-2a2f-4824-a524
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#ena
d7dcdcb9-0d99-44b9-baab
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-th
b9620385-1cde-418f-914b
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-r
6dc36c52-0124-4ffe-9eaf
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-
388a3d0e-0a43-4367-90b2
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-fil
00acd8a9-6975-414f-8491
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#spec
89cc5e11-aa4d-4c3b-893d
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-
7f408960-c626-44cb-a018
https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-
Secure Cost Scale Simple HA
1d25-00b7-407a-b9ea-b40fd3290798
9ced-6b17-4db8-8554-62f2aee4553a
3934-8b26-42d6-ac5f-512925498f6d
7dac-43bc-46ce-8d7a-a9b24604489a
d78e-79dc-47b3-9bd2-a1a27e7a8e90
38ce-e297-411b-b363-caaab79b198d
932c-9fc9-4d1b-a880-37f5e6bfcb9e
547c-d447-4e82-9128-a7100f1cac6d
293c-7639-4637-a551-c5c04e401955
5ced-126c-4d13-8af5-b20c6998a646
997e-41c7-47d7-acf6-a62a1194956d
c3a2-fd27-4b2e-8870-1a1252beedf6
8cde-c486-42bc-9bd2-1be77f26e5e6
c3d4-f343-47c1-936d-b55f27a71eee
5dc2-efd5-4d76-8d41-d2500cc47b49
1fd3-2947-498b-8288-b3c6a56ceb54
e1a2-d345-4293-a763-9637a551c5c0
1955-387e-45ce-b126-cd132af5b20c
3a76-5a91-47e1-b348-ef254c27d42e
c757-1559-4ab9-853e-8908ae28c84c
b780-8b9f-4e5c-9104-9d403a923c34
0018-ac6a-49e0-8e6a-83de5de32c19
1607-d5d1-4e4e-9146-58d3558fd772
2111-2df2-47ee-912e-7f983f630472
9c5b-5c26-422f-94b6-9bad33aad5e8
1d76-6673-413b-9f56-64b5e984a859
e7d2-6162-43a7-95a9-17e1f348ef25
d42e-8bba-4c75-9155-9ab9153e8908
c84c-33b6-4b78-88b9-fe5c41049d40
3c34-74d0-4001-aac6-a9e01e6a83de
2c19-9248-4160-9d5d-1e4e614658d3
d772-49b8-4211-82df-27ee412e7f98
0472-2dd6-49c5-a5c2-622f54b69bad
d5e8-c68e-41d7-9667-313b4f5664b5
a859-c773-4e7d-8616-23a765a917e1
ef25-4c27-4d42-b8bb-ac7571559ab9
8908-ae28-4c84-a33b-6b7808b9fe5c
9d40-3a92-43c3-974d-00018ac6a9e0
83de-5de3-42c1-a924-81607d5d1e4e
58d3-558f-4d77-849b-821112df27ee
7f98-3f63-4047-82dd-69c5b5c2622f
9bad-33aa-4d5e-ac68-e1d76667313b
64b5-e984-4a85-ac77-3e7d261623a7
17e1-f348-4ef2-94c2-7d42e8bbac75
9ab9-153e-4890-aae2-8c84c33b6b78
fe5c-4104-49d4-83a9-23c3474d0001
a9e0-1e6a-483d-b5de-32c199248160
1e4e-6146-458d-9558-fd77249b8211
27ee-412e-47f9-a3f6-304722dd69c5
622f-54b6-49ba-b33a-ad5e8c68e1d7
313b-4f56-464b-9e98-4a859c773e7d
23a7-65a9-417e-8f34-8ef254c27d42
ac75-7155-49ab-a153-e8908ae28c84
1623-a364-4a90-9eca-e48ebd54cd7d
abac-3571-4559-ab91-53e89f89dc7b
3b1a-2808-4b9e-a1bf-1038df03a822
3dbb-bc8a-4c2a-aebc-92a43da1dae2
1471-607c-41cc-a0e6-14658dd558f9
9b82-1112-4dbd-9eaf-12e6f943e53f
d929-c1b1-4cd6-81f5-4b29bade39ad
28ec-9366-4572-83b0-f4664b1d944a
373e-7dd6-4162-9a36-4a907ecae48e
12b2-363c-4efe-879b-599de0d5973c
21b0-8813-47f5-b6c4-cfd3e504547c
ec66-138a-4720-8f1c-e16ed301d6e8
2e36-11cc-458b-9a4b-1511e43a58a9
9c4d-7b57-4d0c-9555-62f2b3e4563a
3974-8b66-42d6-b15f-512a65498f6d
7de1-43b1-46c3-8d7a-a9b64704489a
d88e-79d1-47b7-9b22-a5a67e7a8ed4
38c3-f298-412b-8363-cefe179b599d
8dc9-325e-4873-bf88-f8214ef2e5d2
973c-d4cd-421b-8881-37f5e6c4cfd3
547c-2447-4ec6-9138-a7200f1ce16e
d6e8-72e5-42e3-911c-c58b5a4b1511
58a9-c229-49c4-b7b5-7d0c655562f2
563a-4d87-4397-98b6-62d6d15f512a
8f6d-fe23-47de-843b-16c31d7aa9b6
489a-8042-4d88-b79d-17b73b22a5a6
8ed4-b30e-438c-9f29-812b2363cefe
599d-e0d5-4973-ad4c-d21b088137f5
cfd3-e504-4547-a244-7ec66138a720
e16e-d301-4d6e-a72e-52e3611cc58b
1511-e43a-458a-ac22-99c4d7b57d0c
62f2-b3e4-4563-a4d8-739748b662d6
512a-6549-48f6-bfe2-37de143b16c3
a9b6-4704-4489-a804-2d88e79d17b7
a5a6-7e7a-48ed-9b30-e38c3f29812b
cefe-179b-4599-be0d-5973cd4cd21b
37f5-e6c4-4cfd-9e50-4547c2447ec6
a720-0f1c-4e16-bd30-1d6e872e52e3
c58b-5a4b-4151-8e43-a58a9c2299c4
7d0c-6555-462f-8b3e-4563a4d87397
62d6-d15f-4512-a654-98f6dfe237de
16c3-1d7a-4a9b-9470-4489a8042d88
17b7-3b22-4a5a-97e7-a8ed4b30e38c
812b-2363-4cef-b179-b599de0d5973
d21b-0881-437f-9e6c-4cfd3e504547
3e88-a459-4ed5-a22f-644dfbc58204
7ec6-6138-4a72-80f1-ce16ed301d6e
7cf1-5754-442d-babb-8ba6772e5c30
52e3-611c-4c58-a5a4-b1511e43a58a
99c4-d7b5-47d0-a655-562f2b3e4563
7397-48b6-462d-9d15-f512a65498f6
37de-143b-416c-91d7-aa9b64704489
2d88-e79d-417b-93b2-2a5a67e7a8ed
e38c-3f29-4812-a236-3cefe179b599
5973-cd4c-4d21-a088-137f5e6c4cfd
4547-c244-47ec-9613-8a7200f1ce16
1d6e-872e-452e-9611-cc58b5a4b151
a58a-9c22-499c-9d7b-57d0c655562f
4563-a4d8-4739-948b-662d6d15f512
98f6-dfe2-437d-b143-b16c31d7aa9b
4489-a804-42d8-ae79-d17b73b22a5a
a8ed-4b30-4e38-a3f2-9812b2363cef
b599-de0d-4597-9cd4-cd21b088137f
4cfd-3e50-4454-9c24-47ec66138a72
ce16-ed30-41d6-b872-e52e3611cc58
e484-3276-4d8b-bc05-5bcf619e8a13
7952-5d62-4688-9d70-ba6c97be9951
3845-c986-4cb2-a131-56a12476e49f
cdce-9793-477b-adb3-751ab2ab13ad
5d7d-8a2a-4db1-87d6-326af625ca44
5f22-23ac-4e8c-a123-08ca5017f154
45bf-97ab-41a7-819c-6104baa7d48c
3693-829e-47e3-8618-3687a0477a20
bda4-3334-4f24-a116-34182ba52752
008b-e7d7-4e48-9327-6d8bdc055bcf
8a13-f988-4795-85d6-26886d70ba6c
9951-9048-4384-9c98-6cb2913156a1
e49f-541a-4cdc-b979-377bcdb3751a
13ad-a6e5-45d7-b8a2-adb117d6326a
ca44-e569-45f2-823a-ce8cb12308ca
3900-4514-41eb-b010-475d695abd74
f154-e3ab-4369-9829-e7e316183687
7a20-9945-4bda-9333-4f2491163418
2752-6944-4008-ae7d-7e4843276d8b
5bcf-619e-48a1-9f98-879525d62688
ba6c-97be-4995-8904-83845c986cb2
56a1-2476-4e49-b541-acdce979377b
751a-b2ab-413a-ba6e-55d7d8a2adb1
326a-f625-4ca4-9e56-95f2223ace8c
08ca-5017-4f15-9e3a-b3693829e7e3
3687-a047-47a2-8994-5bda43334f24
3418-2ba5-4275-8694-4008be7d7e48
2688-6d70-4ba6-a97b-e99519048384
6cb2-9131-456a-8247-6e49f541acdc
377b-cdb3-4751-ab2a-b13ada6e55d7
adb1-17d6-4326-af62-5ca44e5695f2
ce8c-b123-408c-a501-7f154e3ab369
e7e3-1618-4368-9a04-77a209945bda
4f24-9116-4341-a2ba-527526944008
7e48-4327-46d8-adc0-55bcf619e8a1
8795-25d6-4268-a6d7-0ba6c97be995
8384-5c98-46cb-8913-156a12476e49
acdc-e979-4377-acdb-3751ab2ab13a
55d7-d8a2-4adb-817d-6326af625ca4
95f2-223a-4ce8-ab12-308ca5017f15
b369-3829-4e7e-9161-83687a0477a2
5bda-4333-44f2-9911-634182ba5275
3ee7-ad6c-46d3-9331-65c7acbe44ab
d79f-2e87-4768-924c-516775c6ea95
d884-08e3-4727-94b8-75ba18f20459
5d38-e43f-49cc-ad86-8266abca264f
bf39-c95d-444c-9c89-19ca1f6d5215
4b93-3d45-485e-8112-9bd7ba012f7b
5839-4d36-402f-bfa4-02811eb936e9
abab-5478-417c-81bf-bf1ad4ed1ed4
45af-166f-44c4-9f36-b6d592dac2ca
c92d-d723-4f4a-98d7-8722324efd4d
69de-7076-4734-a734-6e4552cad9e1
b96a-003f-4b18-8fcd-b4d84459c2b2
ee82-b2c7-45aa-bc98-6de6f59a095d
380c-4bfb-47bc-b1d7-dcfef363a61b
048e-e5d7-4206-9c55-b5ed45d2cc0c
72f3-8f5c-4864-95e5-75bf37fbbeb1
d8cc-1b0c-4495-afad-624ab70f7bd6
124b-127d-42b6-9322-388d5b2bbcfc
a962-3969-4863-8f5a-5ad808c2cf4b
8f2b-ec22-4a87-9415-6a10b00d6555
13d4-2a2f-4824-a524-f5855b52b946
dcb9-0d99-44b9-baab-ac7570ede79a
0385-1cde-418f-914b-a84a06982ffc
6c52-0124-4ffe-9eaf-23ec1282dedb
3d0e-0a43-4367-90b2-3dd2aeece5ee
d8a9-6975-414f-8491-2be6309893b8
5e11-aa4d-4c3b-893d-feb99215266a
8960-c626-44cb-a018-347c8d790cdf
Severity Status Category Reference Default tit TechnologiLanguagesStatus descriptions Technology
High Not verified Identity a https://ra Use the "ImLanding Zone This check has not belz
Medium Open Network Topology and ConnectivAKS There is an action ite aks
Low Fulfilled Business Continuity and Disaste AVD This check has been ve avd
N/A Security, Governance, and CompAVS Not applicable for curavs
Not requiredApplication Automation and De Security Not required security
Management and Monitoring Multitenancy multitenancy
Application Deployment
Language file suffix
en
ja
ko
pt
es
multitenancy

You might also like