Azure · caseywatson · Apr 3, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025
@@ -9,6 +9,8 @@ recommendation:
   recommendationImpact: enum('Low', 'Medium', 'High')
   recommendationResourceType: any(
     regex('^Microsoft\\.[a-zA-Z0-9.]+/[a-zA-Z0-9]+$'),
+    regex('^Microsoft\\.[a-zA-Z0-9.]+/[a-zA-Z0-9.]+/[a-zA-Z0-9]+$'),
+    regex('^Microsoft\\.[a-zA-Z0-9.]+/[a-zA-Z0-9.]+/[a-zA-Z0-9.]+/[a-zA-Z0-9]+$'),
     regex('^WellArchitected/[A-Za-z]+$'),
     regex('^Specialized\\.Workload/[A-Za-z]+$'))
   recommendationMetadataState: enum('Active', 'Disabled')

@@ -156,7 +156,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: Low
-  recommendationResourceType: Microsoft.Cdn/profiles
+  recommendationResourceType: Microsoft.Cdn/profiles/originGroups
   recommendationMetadataState: Active
   longDescription: |
     Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.
@@ -252,3 +252,20 @@
   learnMoreLink:
     - name: Compare pricing between Azure Front Door tiers
       url: "https://learn.microsoft.com/azure/frontdoor/understanding-pricing"
+
+- description: Monitor Web Application Firewall
+  aprlGuid: 5357ae22-0f52-1a49-9fd4-1f00ace6add0
+  recommendationTypeId: null
+  recommendationControl: MonitoringAndAlerting
+  recommendationImpact: High
+  recommendationResourceType: Microsoft.Cdn/profiles
+  recommendationMetadataState: Active
+  longDescription: |
+    Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.
+  potentialBenefits: Enhanced security and health insight
+  pgVerified: false
+  automationAvailable: false
+  tags: []
+  learnMoreLink:
+    - name: WAF monitoring
+      url: "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview#monitoring"
@@ -3,7 +3,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: Medium
-  recommendationResourceType: Microsoft.Compute/galleries
+  recommendationResourceType: Microsoft.Compute/galleries/images/versions
   recommendationMetadataState: Active
   longDescription: |
     Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.
@@ -20,7 +20,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: Medium
-  recommendationResourceType: Microsoft.Compute/galleries
+  recommendationResourceType: Microsoft.Compute/galleries/images/versions
   recommendationMetadataState: Active
   longDescription: |
     Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.

@@ -20,7 +20,7 @@
   recommendationTypeId: null
   recommendationControl: Scalability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Standard network feature in Azure NetApp Files enhances IP limits and VNet capabilities, including network security groups, user-defined routes on subnets, and diverse connectivity options.
@@ -37,7 +37,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Availability zones are distinct locations within an Azure region to withstand local failures. Deploy your workload in multiple availability zones and use application-based replication or Azure NetApp Files cross-zone replication to achieve high availability. Note that failover is a manual process.
@@ -54,7 +54,7 @@
   recommendationTypeId: null
   recommendationControl: OtherBestPractices
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files' availability zone (AZ) volume placement feature lets you deploy volumes in the same AZ with Azure compute and other services to have within AZ latency and share the same AZ failure domain.
@@ -71,7 +71,7 @@
   recommendationTypeId: cda11061-35a8-4ca3-aa03-b242dcdf7319
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files snapshot technology ensures stability, scalability, and swift data recoverability without affecting performance. It supports automatic snapshot creation via policies for Azure NetApp Files data.
@@ -88,7 +88,7 @@
   recommendationTypeId: c70fc854-2814-4b03-9b93-8ad7b918bfcf
   recommendationControl: DisasterRecovery
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance.
@@ -105,7 +105,7 @@
   recommendationTypeId: 26f91380-cb68-4642-bb6f-1bce3c64c55e
   recommendationControl: DisasterRecovery
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. Note that failover is a manual process.
@@ -122,7 +122,7 @@
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     The cross-zone replication (CZR) feature enables asynchronous data replication between Azure NetApp Files volumes across different availability zones, ensuring data protection and critical application failover in case of zone-wide disasters. Note that failover is a manual process.
@@ -139,7 +139,7 @@
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
   recommendationImpact: Medium
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts.
@@ -190,7 +190,7 @@
   recommendationTypeId: e4bebd74-387a-4a74-b757-475d2d1b4e3e
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Certain SMB applications need SMB Transparent Failover for maintenance without interrupting server connectivity. Azure NetApp Files provides this through SMB Continuous Availability for applications like Citrix App Layering, FSLogix user/profile containers, Microsoft SQL Server, MSIX app attach.
@@ -207,7 +207,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: Medium
-  recommendationResourceType: Microsoft.NetApp/netAppAccounts
+  recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes
   recommendationMetadataState: Active
   longDescription: |
     Azure NetApp Files might undergo occasional planned maintenance such as platform updates or service and software upgrades. It's important to be aware of the application's resiliency settings to cope with these storage service maintenance events.

@@ -1,7 +1,7 @@
 ---
 title: frontDoorWebApplicationFirewallPolicies
 geekdocCollapseSection: true
-geekdocHidden: false
+geekdocHidden: true
 ---
 
 {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}
@@ -31,20 +31,3 @@
   learnMoreLink:
     - name: Azure Web Application Firewall Monitoring and Logging
       url: "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics"
-
-- description: Monitor Web Application Firewall
-  aprlGuid: 5357ae22-0f52-1a49-9fd4-1f00ace6add0
-  recommendationTypeId: null
-  recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
-  recommendationResourceType: Microsoft.Network/frontdoorWebApplicationFirewallPolicies
-  recommendationMetadataState: Active
-  longDescription: |
-    Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.
-  potentialBenefits: Enhanced security and health insight
-  pgVerified: false
-  automationAvailable: false
-  tags: []
-  learnMoreLink:
-    - name: WAF monitoring
-      url: "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview#waf-monitoring"
@@ -20,7 +20,7 @@
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
   recommendationImpact: Low
-  recommendationResourceType: Microsoft.Network/networkWatchers
+  recommendationResourceType: Microsoft.Network/networkWatchers/flowlogs
   recommendationMetadataState: Active
   longDescription: |
     Network security group flow logging is a feature of Azure Network Watcher that logs IP traffic info through a network security group. If in Failed state, monitoring data from the associated resource is not collected.
@@ -54,7 +54,7 @@
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
   recommendationImpact: Medium
-  recommendationResourceType: Microsoft.Network/networkWatchers
+  recommendationResourceType: Microsoft.Network/networkWatchers/flowlogs
   recommendationMetadataState: Active
   longDescription: |
     Improves monitoring, security and troubleshooting for Azure and Hybrid connectivity

@@ -20,7 +20,7 @@
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
   recommendationImpact: High
-  recommendationResourceType: Microsoft.RecoveryServices/vaults
+  recommendationResourceType: Microsoft.Compute/virtualMachines
   recommendationMetadataState: Active
   longDescription: |
     Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.

@@ -37,7 +37,7 @@
   recommendationTypeId: 807e58d0-e385-41ad-987b-4a4b3e3fb563
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.Sql/servers
+  recommendationResourceType: Microsoft.Sql/servers/databases
   recommendationMetadataState: Active
   longDescription: |
     By default, Azure SQL Database premium tier provisions multiple copies within the same region. For geo redundancy, databases can be set as Zone Redundant, distributing copies across Azure Availability Zones to maintain availability during regional outages.
@@ -54,7 +54,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.Sql/servers
+  recommendationResourceType: Microsoft.Sql/servers/databases
   recommendationMetadataState: Disabled
   longDescription: |
     During transient failures, the application should handle connection retries effectively with Azure SQL Database. No Database layer configuration is needed; instead, the application must be set up for graceful retrying.
@@ -71,7 +71,7 @@
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
   recommendationImpact: High
-  recommendationResourceType: Microsoft.Sql/servers
+  recommendationResourceType: Microsoft.Sql/servers/databases
   recommendationMetadataState: Active
   longDescription: |
     Monitoring and alerting are an important part of database operations. When working with Azure SQL Database, make use of Azure Monitor and SQL Insights to ensure that you capture relevant database metrics.

@@ -1,22 +1 @@
-// Azure Resource Graph Query
-// Provides a list of Azure Resource Groups that have resources deployed in a region different than the Resource Group region
-resourcecontainers
-| where type =~ "Microsoft.Resources/subscriptions/resourceGroups"
-| project resourceGroupId = tolower(id), resourceGroupLocation = location
-| join kind = inner (
-    resources
-    | where location !~ "Global" and             // Exclude global resources
-        resourceGroup !~ "NetworkWatcherRG" and  // Exclude resources in the NetworkWatcherRG
-        id has "/resourceGroups/"                // Exclude resources not in a resource group
-    | project id, name, tags, resourceGroup, location, resourceGroupId = tolower(strcat_array(array_slice(split(id, "/"), 0, 4), "/"))
-    )
-    on resourceGroupId
-| where resourceGroupLocation !~ location
-| project
-    recommendationId = "98bd7098-49d6-491b-86f1-b143d6b1a0ff",
-    name,
-    id,
-    tags,
-    param1 = strcat("resourceLocation: ", location),
-    param2 = strcat("resourceGroupLocation: ", resourceGroupLocation),
-    param3 = strcat("resourceGroup: ", resourceGroup)
+// under-development
@@ -0,0 +1,13 @@
+// Azure Resource Graph Query
+// Provides a list of Azure App Service Slot resources that don't have App Settings configured
+Resources
+| where type =~ 'microsoft.web/sites/slots'
+| join kind=inner
+    (appserviceresources
+    | where type == "microsoft.web/sites/config"
+    | extend AppSettings = iif(isempty(properties.AppSettings), false, true)
+    | where AppSettings == false
+    | extend id = replace(@"/config/web$", "", id)
+    ) on id
+| project recommendationID = "0a535241-8dc4-4058-af03-f2fff0abad2a", id, name, param1="AppSettings is not configured", properties
+
@@ -1,9 +1,13 @@
 // Azure Resource Graph Query
 // Provides a list of Azure App Service resources that don't have App Settings configured
+Resources
+| where type =~ 'microsoft.web/sites'
+| join kind=inner
+    (appserviceresources
+    | where type == "microsoft.web/sites/config"
+    | extend AppSettings = iif(isempty(properties.AppSettings), false, true)
+    | where AppSettings == false
+    | extend id = replace(@"/config/web$", "", id)
+    ) on id
+| project recommendationID = "0b80b67c-afbe-4988-ad58-a85a146b681e", id, name, param1="AppSettings is not configured"
 
-appserviceresources
-| where type == "microsoft.web/sites/config"
-| extend AppSettings = iif(isempty(properties.AppSettings), true, false)
-| where AppSettings == false
-| extend id = replace(@"/config/web$", "", id)
-| project  recommendationId="0b80b67c-afbe-4988-ad58-a85a146b681e", id, name, tags="", param1="AppSettings is not configured"
@@ -1,15 +1,19 @@
 // Azure Resource Graph Query
-// Display App Service with the count of deployment slots for Apps under eligible App service plans and it shows if deployment slot is enabled or not
+// Display App Service for Apps under eligible App service plans and it shows if deployment slot is enabled or not
 
 resources
 | where type =~ 'microsoft.web/sites' or type =~ 'microsoft.web/sites/slots'
-| extend isSlot = iff(type =~ 'microsoft.web/sites/slots', 1, 0)
-| extend AspName = iff(isSlot == 1, split(name, '/')[0], name)
 | extend Sku = tostring(properties.sku)
 | where tolower(Sku) contains "standard" or tolower(Sku) contains "premium" or tolower(Sku) contains "isolatedv2"
-| project id, name, AspName, isSlot, Sku
-| summarize Slots = countif(isSlot == 1) by id, name, AspName, Sku
-| extend DeploymentSlotEnabled = iff(Slots > 1, true, false)
-| where DeploymentSlotEnabled = false
-| project recommendationId="a1d91661-32d4-430b-b3b6-5adeb0975df7", name, id, tags="", param1=Sku, param2=Slots, param3="DeploymentSlotEnabled=false"
+| summarize count() by repositorySiteName = tostring(properties.repositorySiteName)
+| where count_ == 1
+| join kind=inner (
+    resources
+    | where type =~ 'microsoft.web/sites' //or type =~ 'microsoft.web/sites/slots'
+    | extend repositorySiteName = tostring(properties.repositorySiteName)
+    | extend Sku = tostring(properties.sku)
+    | project id, name, subscriptionId, repositorySiteName, Sku
+) on repositorySiteName
+| project recommendationId="a1d91661-32d4-430b-b3b6-5adeb0975df7", name, id, tags="", param1=Sku, param2="DeploymentSlotEnabled=false"
+
 
@@ -83,7 +83,7 @@
     - name: Set up staging environments in Azure App Service
       url: "https://learn.microsoft.com/azure/app-service-web/web-sites-staged-publishing"
 
-- description: Store configuration as app settings
+- description: Store configuration as app settings for Web Sites
   aprlGuid: 0b80b67c-afbe-4988-ad58-a85a146b681e
   recommendationTypeId: null
   recommendationControl: OtherBestPractices
@@ -100,6 +100,24 @@
     - name: Configure web apps in Azure App Service
       url: "https://learn.microsoft.com/azure/app-service-web/web-sites-configure"
 
+
+- description: Store configuration as app settings for Web Site Slots
+  aprlGuid: 0a535241-8dc4-4058-af03-f2fff0abad2a
+  recommendationTypeId: null
+  recommendationControl: OtherBestPractices
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Web/sites/slots
+  recommendationMetadataState: Active
+  longDescription: |
+    Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.
+  potentialBenefits: Enhanced reliability via automation
+  pgVerified: true
+  automationAvailable: true
+  tags: []
+  learnMoreLink:
+    - name: Configure web apps in Azure App Service
+      url: "https://learn.microsoft.com/azure/app-service-web/web-sites-configure"
+
 - description: Enable Health check for App Services
   aprlGuid: fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d
   recommendationTypeId: null