fix: Update app gw subnet recommendation to reflect Advisor recs. (#776)

arthurclares · Copilot · web-flow · commit 95da559889d7 · 2025-09-15T13:12:14.000+01:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/azure-resources/Network/applicationGateways/kql/8364fd0a-7c0e-e240-9d95-4bf965aec243.kql b/azure-resources/Network/applicationGateways/kql/8364fd0a-7c0e-e240-9d95-4bf965aec243.kql
@@ -1,15 +1,23 @@
 // Azure Resource Graph Query
 // This query will validate the subnet id for an appGW ends with a /24
-
 resources
-| where type =~ 'Microsoft.Network/applicationGateways'
-| extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
-| join kind=leftouter(resources
+| where type == "microsoft.network/applicationgateways"
+| extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
+| project id, subscriptionId, subnetId, name, tags
+| join (
+    resources
     | where type == "microsoft.network/virtualnetworks"
-    | mv-expand properties.subnets
-    | extend subnetid = tostring(properties_subnets.id)
-    | extend addressprefix = tostring(properties_subnets.properties.addressPrefix)
-    | project subnetid, addressprefix) on subnetid
-| where addressprefix !endswith '/24'
-| project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)
-
+    | project id, subnets = properties.subnets
+    | mv-expand subnets
+    | mv-expand subnets.properties.addressPrefixes
+    | project
+        id,
+        subnetId = tostring(subnets.id),
+        prefix1 = subnets.properties.addressPrefix,
+        prefix2 = subnets.properties.addressPrefixes
+    | mv-expand prefix2
+    | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2)
+    | extend subnetPrefixLength = split(prefix, "/")[1]
+) on subnetId
+| where subnetPrefixLength > 24 and subnetPrefixLength != 64
+| project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243",name,id,tags,param1 = strcat("AppGW subnet prefix: ", prefix)
diff --git a/azure-resources/Network/applicationGateways/recommendations.yaml b/azure-resources/Network/applicationGateways/recommendations.yaml
@@ -134,16 +134,16 @@
     - name: Application Gateway Connection Draining
       url: "https://learn.microsoft.com/azure/application-gateway/features#connection-draining"
 
-- description: Ensure Application Gateway Subnet is using a /24 subnet mask
+- description: A minimum subnet size of /24 is recommended for Application Gateway v2 subnets.
   aprlGuid: 8364fd0a-7c0e-e240-9d95-4bf965aec243
-  recommendationTypeId: null
+  recommendationTypeId: ef4da732-f541-4109-bc0e-465c68b6c7eb
   recommendationControl: OtherBestPractices
   recommendationImpact: High
   recommendationResourceType: Microsoft.Network/applicationGateways
   recommendationMetadataState: Active
   longDescription: |
-    Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.
-  potentialBenefits: Allows autoscaling and maintenance
+    Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private frontend IP configuration + 5 Azure reserved). A minimum subnet size of /24 is recommended.
+  potentialBenefits: Enough room for scalability
   pgVerified: true
   automationAvailable: true
   tags: []
