From 4f39a34bd989f5db82d4fb2629ecd9743f255972 Mon Sep 17 00:00:00 2001 From: "Rodrigo Reis Santos (AZURE)" Date: Wed, 21 May 2025 09:56:59 -0400 Subject: [PATCH 1/5] rosanto-may-quality-updates --- .../302fda08-ee65-4fbe-a916-6dc0b33169c4.kql | 18 ++- .../52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql | 42 ++++-- .../73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql | 18 ++- .../virtualMachines/recommendations.yaml | 129 +----------------- .../005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql | 3 +- .../0611251f-e70f-4243-8ddd-cfe894bec2e7.kql | 2 +- .../26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql | 2 +- .../4f63619f-5001-439c-bacb-8de891287727.kql | 6 +- .../5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql | 2 +- .../5f3cbd68-692a-4121-988c-9770914859a9.kql | 2 +- .../7f7ae535-a5ba-4665-b7e0-c451dbdda01f.kql | 2 +- .../a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql | 2 +- .../dcaf8128-94bd-4d53-9235-3a0371df6b74.kql | 2 +- .../e620fa98-7a40-41a0-bfc9-b4407297fb58.kql | 13 +- .../f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql | 2 +- .../managedClusters/recommendations.yaml | 12 +- .../31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3.kql | 15 +- .../flexibleServers/recommendations.yaml | 2 +- .../72827434-c773-4345-9493-34848ddf5803.kql | 16 ++- .../e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql | 20 +-- .../netAppAccounts/recommendations.yaml | 4 +- .../6d82d042-6d61-ad49-86f0-6a5455398081.kql | 38 +----- .../e5f5fcea-f925-4578-8599-9a391e888a60.kql | 6 - .../loadBalancers/recommendations.yaml | 18 +-- .../recommendations.yaml | 2 +- 25 files changed, 136 insertions(+), 242 deletions(-) delete mode 100644 azure-resources/Network/loadBalancers/kql/e5f5fcea-f925-4578-8599-9a391e888a60.kql diff --git a/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql b/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql index cad6f6046..310a03233 100644 --- a/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql +++ b/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql @@ -1,7 +1,13 @@ // Azure Resource Graph Query -// Find all Virtual Machines not associated with a Capacity Reservation, and provide details for Capacity Reservation like vmSize, location, and zone. -resources -| where type =~ 'Microsoft.Compute/virtualMachines' -| where isnull(properties.capacityReservation) -| extend zoneValue = iff(isnull(zones), "null", zones) -| project recommendationId = "302fda08-ee65-4fbe-a916-6dc0b33169c4", name, id, tags, param1 = strcat("VmSize: ", properties.hardwareProfile.vmSize), param2 = strcat("Location: ", location), param3 = strcat("Zone: ", zoneValue) +// Find Database for PostgreSQL instances that do not have geo redundant backup storage configured +advisorresources +| where properties.recommendationTypeId =~ '1670c0af-6536-4cbf-872f-152c91a51a80' // RecommendationID from Advisor +| mv-expand resId = properties.resourceMetadata.resourceId +| extend resId = tolower(tostring(resId)) +| project recId = properties.recommendationTypeId, resId +| join kind=leftouter ( + resources + | extend id = tolower(tostring(id)) + | project id, name, tags, location, properties +) on $left.resId == $right.id +| project recommendationId = "302fda08-ee65-4fbe-a916-6dc0b33169c4", name , id = resId, tags,param1 = properties.hardwareProfile.vmSize, param2 = location diff --git a/azure-resources/Compute/virtualMachines/kql/52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql b/azure-resources/Compute/virtualMachines/kql/52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql index 7b48a3168..5e400e618 100644 --- a/azure-resources/Compute/virtualMachines/kql/52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql +++ b/azure-resources/Compute/virtualMachines/kql/52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql @@ -1,16 +1,38 @@ // Azure Resource Graph Query -// Find VMS that do not have maintenance configuration assigned -Resources -| extend resourceId = tolower(id) -| project name, location, type, id, tags, resourceId, properties +// Find VMs on Dedicated Hosts or using Isolated SKUs (via substring match) that do NOT have a maintenance configuration assigned +resources | where type =~ 'Microsoft.Compute/virtualMachines' +| extend + resourceId = tolower(id), + hostId = tostring(properties.host.id), + hostGroupId = tostring(properties.hostGroup.id), + vmSize = tostring(properties.hardwareProfile.vmSize) +| where + // 1) Dedicated Host association + isnotempty(hostId) or isnotempty(hostGroupId) + // 2) OR any of the "isolated" substrings + or ( + vmSize contains "i_" or + vmSize contains "is_" or + vmSize contains "id_" or + vmSize contains "ids_" or + vmSize contains "idms_" or + vmSize contains "ims_" or + vmSize contains "G5" or + vmSize contains "GS5" or + vmSize contains "F72s_" or + vmSize contains "M128ms" + ) | join kind=leftouter ( -maintenanceresources -| where type =~ "microsoft.maintenance/configurationassignments" -| project planName = name, type, maintenanceProps = properties -| extend resourceId = tostring(maintenanceProps.resourceId) + resources + | where type =~ 'microsoft.maintenance/configurationassignments' + | extend resourceId = tolower(tostring(properties.resourceId)) + | project resourceId, maintenanceProps = properties ) on resourceId | where isnull(maintenanceProps) -| project recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",name, id, tags +| project + recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870", + name, + id, + tags | order by id asc - diff --git a/azure-resources/Compute/virtualMachines/kql/73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql b/azure-resources/Compute/virtualMachines/kql/73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql index 62b578dfe..fbfd8c459 100644 --- a/azure-resources/Compute/virtualMachines/kql/73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql +++ b/azure-resources/Compute/virtualMachines/kql/73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql @@ -1,2 +1,18 @@ -// cannot-be-validated-with-arg +// Azure Resource Graph Query +// Find all VM NICs that have Accelerated Networking enabled +resources +| where type =~ 'Microsoft.Compute/virtualMachines' +| mv-expand nic = properties.networkProfile.networkInterfaces +| project name, id, tags, lowerCaseNicId = tolower(nic.id), vmSize = tostring(properties.hardwareProfile.vmSize) +| join kind = inner ( + resources + | where type =~ 'Microsoft.Network/networkInterfaces' + | where properties.enableAcceleratedNetworking == true + | project nicName = split(id, "/")[8], lowerCaseNicId = tolower(id) + ) + on lowerCaseNicId +| summarize nicNames = make_set(nicName) by name, id, tostring(tags), vmSize +| extend param2 = strcat("NicName: ", strcat_array(nicNames, ", ")), param3 = strcat("VMSize: ", vmSize) +| project recommendationId = "dfedbeb1-1519-fc47-86a5-52f96cf07105", name, id, tags, param1="This machine has AccelNet enabled, but it is not possible to confirm if the GuestOS drivers are Up-to-Date.", param2,param3 +| order by id asc diff --git a/azure-resources/Compute/virtualMachines/recommendations.yaml b/azure-resources/Compute/virtualMachines/recommendations.yaml index 01c8c16cb..7a85dbd07 100644 --- a/azure-resources/Compute/virtualMachines/recommendations.yaml +++ b/azure-resources/Compute/virtualMachines/recommendations.yaml @@ -17,7 +17,7 @@ - description: Deploy VMs across Availability Zones aprlGuid: 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 - recommendationTypeId: null + recommendationTypeId: 066a047a-9ace-45f4-ac50-6325840a6b00 recommendationControl: HighAvailability recommendationImpact: High recommendationResourceType: Microsoft.Compute/virtualMachines @@ -117,23 +117,6 @@ - name: What is the Azure Backup service? url: "https://learn.microsoft.com/azure/backup/backup-overview" -- description: Review VMs in stopped state - aprlGuid: 98b334c0-8578-6046-9e43-b6e8fce6318e - recommendationTypeId: null - recommendationControl: Governance - recommendationImpact: Low - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs. - potentialBenefits: Reduce costs by removing unused VMs - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: States and billing status of Azure Virtual Machines - url: "https://learn.microsoft.com/azure/virtual-machines/states-billing?context=%2Ftroubleshoot%2Fazure%2Fvirtual-machines%2Fcontext%2Fcontext#power-states-and-billing" - - description: Enable Accelerated Networking (AccelNet) aprlGuid: dfedbeb1-1519-fc47-86a5-52f96cf07105 recommendationTypeId: null @@ -162,46 +145,12 @@ When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility. potentialBenefits: Enhanced VM network efficiency pgVerified: true - automationAvailable: false + automationAvailable: True tags: [] learnMoreLink: - name: Accelerated Networking (AccelNet) overview url: "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" -- description: VMs should not have a Public IP directly associated - aprlGuid: 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4 - recommendationTypeId: null - recommendationControl: Security - recommendationImpact: Medium - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports. - potentialBenefits: Enhanced security and service resiliency - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Use Source Network Address Translation (SNAT) for outbound connections - url: "https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections" - -- description: VM network interfaces and associated subnets both have a Network Security Group associated - aprlGuid: 82b3cf6b-9ae2-2e44-b193-10793213f676 - recommendationTypeId: null - recommendationControl: Security - recommendationImpact: Low - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations. - potentialBenefits: Reduces communication problems - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: How network security groups filter network traffic - url: "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic" - - description: IP Forwarding should only be enabled for Network Virtual Appliances aprlGuid: 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad recommendationTypeId: null @@ -219,23 +168,6 @@ - name: Enable or disable IP forwarding url: "https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-disable-ip-forwarding" -- description: Customer DNS Servers should be configured in the Virtual Network level - aprlGuid: 1cf8fe21-9593-1e4e-966b-779a294c0d30 - recommendationTypeId: null - recommendationControl: OtherBestPractices - recommendationImpact: Low - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment. - potentialBenefits: Ensures DNS consistency - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Name resolution for resources in Azure virtual networks - url: "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" - - description: Network access to the VM disk should be set to Disable public access and enable private access aprlGuid: 70b1d2be-e6c4-b54e-9959-b1b690f9e485 recommendationTypeId: null @@ -253,40 +185,6 @@ - name: Restrict import/export access for managed disks using Azure Private Link url: "https://learn.microsoft.com/azure/virtual-machines/disks-enable-private-links-for-import-export-portal" -- description: Ensure that your VMs are compliant with Azure Policies - aprlGuid: c42343ae-2712-2843-a285-3437eb0b28a1 - recommendationTypeId: null - recommendationControl: Governance - recommendationImpact: Low - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications. - potentialBenefits: Secure VMs and applications - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Policy-driven governance - url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance" - -- description: Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled - aprlGuid: f0a97179-133a-6e4f-8a49-8a44da73ffce - recommendationTypeId: a40cc620-e72c-fdf4-c554-c6ca2cd705c0 - recommendationControl: Security - recommendationImpact: High - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security. - potentialBenefits: Enhances data security and integrity - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Overview of managed disk encryption options - url: "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview" - - description: Enable VM Insights aprlGuid: b72214bb-e879-5f4b-b9cd-642db84f36f4 recommendationTypeId: null @@ -304,28 +202,11 @@ - name: Overview of VM insights url: "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview" -- description: Configure monitoring for all Azure Virtual Machines - aprlGuid: 4a9d8973-6dba-0042-b3aa-07924877ebd5 - recommendationTypeId: null - recommendationControl: MonitoringAndAlerting - recommendationImpact: Low - recommendationResourceType: Microsoft.Compute/virtualMachines - recommendationMetadataState: Disabled - longDescription: | - Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection. - potentialBenefits: Enhanced diagnostics and auditing capability - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Azure Monitor Agent overview - url: "https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview" - -- description: Use maintenance configurations for the VMs +- description: Use maintenance configurations for the Dedicated and/or Isolated VM SKUs aprlGuid: 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870 recommendationTypeId: null recommendationControl: HighAvailability - recommendationImpact: High + recommendationImpact: Medium recommendationResourceType: Microsoft.Compute/virtualMachines recommendationMetadataState: Active longDescription: | @@ -372,7 +253,7 @@ - name: Disk type comparison and decision tree url: "https://learn.microsoft.com/azure/virtual-machines/disks-types#disk-type-comparison" -- description: Use Azure Boost VMs for Maintenance sensitive workload +- description: Use Azure Boost VMs for Maintenance sensitive workload VMs aprlGuid: 9ab499d8-8844-424d-a2d4-8f53690eb8f8 recommendationTypeId: null recommendationControl: HighAvailability diff --git a/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql b/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql index 8fd42081e..2cef9aff3 100644 --- a/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql +++ b/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql @@ -6,5 +6,4 @@ resources | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints)) | extend nodePool = tostring(parse_json(agentPoolProfile.name)) | where taints !has "CriticalAddonsOnly=true:NoSchedule" and agentPoolProfile.minCount < 2 -| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", id, name, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount) - +| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", name=nodePool, id=strcat(id,"/agentPools/",nodePool), tags,param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount) diff --git a/azure-resources/ContainerService/managedClusters/kql/0611251f-e70f-4243-8ddd-cfe894bec2e7.kql b/azure-resources/ContainerService/managedClusters/kql/0611251f-e70f-4243-8ddd-cfe894bec2e7.kql index a8f51821f..108582e9a 100644 --- a/azure-resources/ContainerService/managedClusters/kql/0611251f-e70f-4243-8ddd-cfe894bec2e7.kql +++ b/azure-resources/ContainerService/managedClusters/kql/0611251f-e70f-4243-8ddd-cfe894bec2e7.kql @@ -3,4 +3,4 @@ resources | where type =~ "Microsoft.ContainerService/managedClusters" | where sku.tier !in~ ("Standard", "Premium") -| project recommendationId = "0611251f-e70f-4243-8ddd-cfe894bec2e7", id, name, tags, param1 = strcat("skuName: ", sku.name), param2 = strcat("skuTier: ", sku.tier) +| project recommendationId = "0611251f-e70f-4243-8ddd-cfe894bec2e7", name,id, tags, param1 = strcat("skuName: ", sku.name), param2 = strcat("skuTier: ", sku.tier) diff --git a/azure-resources/ContainerService/managedClusters/kql/26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql b/azure-resources/ContainerService/managedClusters/kql/26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql index 889923698..6efa4bc73 100644 --- a/azure-resources/ContainerService/managedClusters/kql/26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql +++ b/azure-resources/ContainerService/managedClusters/kql/26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql @@ -13,4 +13,4 @@ PolicyResources | where type =~ 'Microsoft.ContainerService/managedClusters' | project id, name ) on id -| project recommendationId="26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", id, name, param1=strcat("numNonCompliantAlerts: ", count_) +| project recommendationId="26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", name,id,param1=strcat("numNonCompliantAlerts: ", count_) diff --git a/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql b/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql index 112aaa654..017f7e3d1 100644 --- a/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql +++ b/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql @@ -1,5 +1,5 @@ // Azure Resource Graph Query -// Returns AKS clusters that do not have any availability zones enabled or only use a single zone +// Returns AKS clusters Node Pools that do not have any availability zones enabled or only use a single zone resources | where type =~ "Microsoft.ContainerService/managedClusters" | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") @@ -10,8 +10,8 @@ resources | where numOfAvailabilityZones < 2 | project recommendationId = "4f63619f-5001-439c-bacb-8de891287727", - id, - name, + name=pool.name, + id=strcat(id,"/agentPools/",pool.name), tags, param1 = strcat("NodePoolName: ", pool.name), param2 = strcat("Mode: ", pool.mode), diff --git a/azure-resources/ContainerService/managedClusters/kql/5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql b/azure-resources/ContainerService/managedClusters/kql/5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql index dddd1a8b9..bef58fe72 100644 --- a/azure-resources/ContainerService/managedClusters/kql/5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql +++ b/azure-resources/ContainerService/managedClusters/kql/5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql @@ -12,7 +12,7 @@ resources | where hasCriticalAddonsOnly | project recommendationId="5ee083cd-6ac3-4a83-8913-9549dd36cf56", - id, name, + id, tags, param1=strcat("nodepoolName: ", nodePool) diff --git a/azure-resources/ContainerService/managedClusters/kql/5f3cbd68-692a-4121-988c-9770914859a9.kql b/azure-resources/ContainerService/managedClusters/kql/5f3cbd68-692a-4121-988c-9770914859a9.kql index d3fa7d849..07d185e5d 100644 --- a/azure-resources/ContainerService/managedClusters/kql/5f3cbd68-692a-4121-988c-9770914859a9.kql +++ b/azure-resources/ContainerService/managedClusters/kql/5f3cbd68-692a-4121-988c-9770914859a9.kql @@ -4,5 +4,5 @@ resources | where type == "microsoft.containerservice/managedclusters" | extend gitops = tostring (parse_json(properties.addOnProfiles.gitops.enabled)) | where isempty(gitops) -| project recommendationId="5f3cbd68-692a-4121-988c-9770914859a9", id, name, tags, param1=strcat("gitopsEnabled: ", "false") +| project recommendationId="5f3cbd68-692a-4121-988c-9770914859a9", name, id, tags, param1=strcat("gitopsEnabled: ", "false") diff --git a/azure-resources/ContainerService/managedClusters/kql/7f7ae535-a5ba-4665-b7e0-c451dbdda01f.kql b/azure-resources/ContainerService/managedClusters/kql/7f7ae535-a5ba-4665-b7e0-c451dbdda01f.kql index 7099e2e4e..a9a76aef3 100644 --- a/azure-resources/ContainerService/managedClusters/kql/7f7ae535-a5ba-4665-b7e0-c451dbdda01f.kql +++ b/azure-resources/ContainerService/managedClusters/kql/7f7ae535-a5ba-4665-b7e0-c451dbdda01f.kql @@ -6,5 +6,5 @@ resources | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints)) | extend nodePool = tostring(parse_json(agentPoolProfile.name)) | where taints has "CriticalAddonsOnly=true:NoSchedule" and agentPoolProfile.minCount < 2 -| project recommendationId="7f7ae535-a5ba-4665-b7e0-c451dbdda01f", id, name, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount) +| project recommendationId="7f7ae535-a5ba-4665-b7e0-c451dbdda01f", name, id, tags, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount) diff --git a/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql b/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql index c6cdcd2e0..1e25c804c 100644 --- a/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql +++ b/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql @@ -5,4 +5,4 @@ resources | mv-expand agentPoolProfile = properties.agentPoolProfiles | extend type = tostring(agentPoolProfile.osDiskType) | where type != 'Ephemeral' -| project recommendationId="a7bfcc18-b0d8-4d37-81f3-8131ed8bead5", name, id, param1=strcat("osDiskType: ", type) +| project recommendationId="a7bfcc18-b0d8-4d37-81f3-8131ed8bead5", name=agentPoolProfile.name, id=strcat(id,"/agentPools/",agentPoolProfile.name), tags, param1=strcat("osDiskType: ", type) diff --git a/azure-resources/ContainerService/managedClusters/kql/dcaf8128-94bd-4d53-9235-3a0371df6b74.kql b/azure-resources/ContainerService/managedClusters/kql/dcaf8128-94bd-4d53-9235-3a0371df6b74.kql index 1ea26fb70..dbc0fe2a1 100644 --- a/azure-resources/ContainerService/managedClusters/kql/dcaf8128-94bd-4d53-9235-3a0371df6b74.kql +++ b/azure-resources/ContainerService/managedClusters/kql/dcaf8128-94bd-4d53-9235-3a0371df6b74.kql @@ -5,5 +5,5 @@ resources | extend azureMonitor = tostring(parse_json(properties.azureMonitorProfile.metrics.enabled)) | extend insights = tostring(parse_json(properties.addonProfiles.omsagent.enabled)) | where isempty(azureMonitor) or isempty(insights) -| project recommendationId="dcaf8128-94bd-4d53-9235-3a0371df6b74",id, name, tags, param1=strcat("azureMonitorProfileEnabled: ", iff(isempty(azureMonitor), "false", azureMonitor)), param2=strcat("containerInsightsEnabled: ", iff(isempty(insights), "false", insights)) +| project recommendationId="dcaf8128-94bd-4d53-9235-3a0371df6b74",name,id, tags, param1=strcat("azureMonitorProfileEnabled: ", iff(isempty(azureMonitor), "false", azureMonitor)), param2=strcat("containerInsightsEnabled: ", iff(isempty(insights), "false", insights)) diff --git a/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql b/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql index d9f5266db..c3262f30c 100644 --- a/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql +++ b/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql @@ -3,24 +3,23 @@ // Subtracting the network address, broadcast address, and default 3 addresses Azure reserves within each subnet resources -| where type == "microsoft.containerservice/managedclusters" +| where type =~ "microsoft.containerservice/managedclusters" | extend nodePools = properties['agentPoolProfiles'] | mv-expand nodePools = properties.agentPoolProfiles | where nodePools.enableAutoScaling == true | extend nodePoolName=nodePools.name, maxNodes = nodePools.maxCount, subnetId = tostring(nodePools.vnetSubnetID) -| project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId +| project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId,tags | join kind = leftouter ( resources - | where type == 'microsoft.network/virtualnetworks' + | where type =~ 'microsoft.network/virtualnetworks' | extend subnets = properties.subnets | mv-expand subnets - | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix']) + | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix']), tags | extend subnetmask = toint(substring(addressPrefix, indexof(addressPrefix, '/')+1, string_size(addressPrefix))) | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5) ) on $left.subnetId == $right.id | project-away id, subnetmask -| where possibleMaxNodeCount <= maxNodes +| where possibleMaxNodeCount >= maxNodes | extend param1 = strcat(nodePoolName, " autoscaler upper limit: ", maxNodes) | extend param2 = strcat("ip addresses on subnet: ", possibleMaxNodeCount) -| project recommendationId="e620fa98-7a40-41a0-bfc9-b4407297fb58", name=clusterName, id=clusterId, param1, param2 - +| project recommendationId="e620fa98-7a40-41a0-bfc9-b4407297fb58", name=clusterName, id=clusterId,tags,param1, param2 diff --git a/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql b/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql index 5e0ede428..3a1e96c55 100644 --- a/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql +++ b/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql @@ -4,4 +4,4 @@ resources | where type == "microsoft.containerservice/managedclusters" | mv-expand agentPoolProfile = properties.agentPoolProfiles | where agentPoolProfile.osType == 'Linux' and agentPoolProfile.osSKU != 'AzureLinux' -| project recommendationid="f46b0d1d-56ef-4795-b98a-f6ee00cb341a", name, id, param1=strcat("nodePoolName: ", agentPoolProfile.name) +| project recommendationid="f46b0d1d-56ef-4795-b98a-f6ee00cb341a", name=agentPoolProfile.name, id=strcat(id,"/agentPools/",agentPoolProfile.name),tags, param1=strcat("nodePoolName: ", agentPoolProfile.name) diff --git a/azure-resources/ContainerService/managedClusters/recommendations.yaml b/azure-resources/ContainerService/managedClusters/recommendations.yaml index dbfe6f023..d0e946a4b 100644 --- a/azure-resources/ContainerService/managedClusters/recommendations.yaml +++ b/azure-resources/ContainerService/managedClusters/recommendations.yaml @@ -1,9 +1,9 @@ - description: Deploy AKS cluster across availability zones aprlGuid: 4f63619f-5001-439c-bacb-8de891287727 - recommendationTypeId: null + recommendationTypeId: 9f3263db-b9c0-43bb-8523-6800f9f50793 recommendationControl: HighAvailability recommendationImpact: High - recommendationResourceType: Microsoft.ContainerService/managedClusters + recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools recommendationMetadataState: Active longDescription: | Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures. @@ -207,7 +207,7 @@ recommendationTypeId: null recommendationControl: Scalability recommendationImpact: Medium - recommendationResourceType: Microsoft.ContainerService/managedClusters + recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools recommendationMetadataState: Active longDescription: | Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times. @@ -225,7 +225,7 @@ recommendationControl: OtherBestPractices recommendationImpact: Low recommendationResourceType: Microsoft.ContainerService/managedClusters - recommendationMetadataState: Active + recommendationMetadataState: Disabled longDescription: | Azure Policies in AKS clusters help enforce governance best practices concerning security, authentication, provisioning, networking, and more, ensuring a robust and secure environment for operations. potentialBenefits: Enhanced AKS governance and security @@ -326,7 +326,7 @@ recommendationTypeId: null recommendationControl: HighAvailability recommendationImpact: High - recommendationResourceType: Microsoft.ContainerService/managedClusters + recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools recommendationMetadataState: Active longDescription: | Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption. @@ -394,7 +394,7 @@ recommendationTypeId: null recommendationControl: HighAvailability recommendationImpact: High - recommendationResourceType: Microsoft.ContainerService/managedClusters + recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools recommendationMetadataState: Disabled longDescription: | Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads. diff --git a/azure-resources/DBforPostgreSQL/flexibleServers/kql/31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3.kql b/azure-resources/DBforPostgreSQL/flexibleServers/kql/31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3.kql index d46a98832..31390feed 100644 --- a/azure-resources/DBforPostgreSQL/flexibleServers/kql/31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3.kql +++ b/azure-resources/DBforPostgreSQL/flexibleServers/kql/31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3.kql @@ -1,6 +1,13 @@ // Azure Resource Graph Query // Find Database for PostgreSQL instances that do not have geo redundant backup storage configured -resources -| where type == "microsoft.dbforpostgresql/flexibleservers" -| where properties.backup.geoRedundantBackup != "Enabled" -| project recommendationId = "31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3", name, id, tags, param1 = strcat("geoRedundantBackup:", properties['backup']['geoRedundantBackup']) +advisorresources +| where properties.recommendationTypeId =~ '5295ed8a-f7a1-48d3-b4a9-e5e472cf1685' // RecommendationID from Advisor +| mv-expand resId = properties.resourceMetadata.resourceId +| extend resId = tostring(resId) +| project recId = properties.recommendationTypeId, resId +| join kind=leftouter ( + resources + | extend id = tostring(id) + | project id, name, tags, location, properties +) on $left.resId == $right.id +| project recommendationId = "31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3", name , id = resId, tags, param1 = strcat("geoRedundantBackup:", properties['backup']['geoRedundantBackup']) diff --git a/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml b/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml index 6978db41a..1de2713df 100644 --- a/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml +++ b/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml @@ -34,7 +34,7 @@ - description: Configure geo redundant backup storage aprlGuid: 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3 - recommendationTypeId: null + recommendationTypeId: 5295ed8a-f7a1-48d3-b4a9-e5e472cf1685 recommendationControl: DisasterRecovery recommendationImpact: High recommendationResourceType: Microsoft.DBforPostgreSQL/flexibleServers diff --git a/azure-resources/NetApp/netAppAccounts/kql/72827434-c773-4345-9493-34848ddf5803.kql b/azure-resources/NetApp/netAppAccounts/kql/72827434-c773-4345-9493-34848ddf5803.kql index 3c0a30d62..b6628866e 100644 --- a/azure-resources/NetApp/netAppAccounts/kql/72827434-c773-4345-9493-34848ddf5803.kql +++ b/azure-resources/NetApp/netAppAccounts/kql/72827434-c773-4345-9493-34848ddf5803.kql @@ -1,7 +1,15 @@ // Azure Resource Graph Query // This Resource Graph query will return all Azure NetApp Files volumes without a snapshot policy defined. -resources -| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" -| where properties.dataProtection.snapshot.snapshotPolicyId == "" -| project recommendationId = "72827434-c773-4345-9493-34848ddf5803", name, id, tags +advisorresources +| where properties.recommendationTypeId =~ 'cda11061-35a8-4ca3-aa03-b242dcdf7319' // RecommendationID from Advisor +| mv-expand resId = properties.resourceMetadata.resourceId +| extend resId = tostring(resId) +| project recId = properties.recommendationTypeId, resId +| join kind=leftouter ( + resources + | extend id = tostring(id) + | project id, name, tags, location, properties +) on $left.resId == $right.id +| project recommendationId = "72827434-c773-4345-9493-34848ddf5803", name , id = resId, tags + diff --git a/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql b/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql index ec06337a9..25a8ac925 100644 --- a/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql +++ b/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql @@ -1,11 +1,15 @@ // Azure Resource Graph Query // This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication. -resources -| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" -| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") -| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion -| extend volumeType = properties.volumeType -| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR")) -| where replicationType != "CZR" and volumeType != "DataProtection" -| project recommendationId = "e3d742e1-dacd-9b48-b6b1-510ec9f87c96", name, id, tags +advisorresources +| where properties.recommendationTypeId =~ '7a48f43e-8615-4ce0-8039-83b9d24f945a' // RecommendationID from Advisor +| mv-expand resId = properties.resourceMetadata.resourceId +| extend resId = tostring(resId) +| project recId = properties.recommendationTypeId, resId +| join kind=leftouter ( + resources + | extend id = tostring(id) + | project id, name, tags, location, properties +) on $left.resId == $right.id +| project recommendationId = "e3d742e1-dacd-9b48-b6b1-510ec9f87c96", name , id = resId, tags + diff --git a/azure-resources/NetApp/netAppAccounts/recommendations.yaml b/azure-resources/NetApp/netAppAccounts/recommendations.yaml index fdda14b85..e2b3fb6f6 100644 --- a/azure-resources/NetApp/netAppAccounts/recommendations.yaml +++ b/azure-resources/NetApp/netAppAccounts/recommendations.yaml @@ -119,9 +119,9 @@ - description: Enable Cross-zone replication of Azure NetApp Files volumes aprlGuid: e3d742e1-dacd-9b48-b6b1-510ec9f87c96 - recommendationTypeId: null + recommendationTypeId: 7a48f43e-8615-4ce0-8039-83b9d24f945a recommendationControl: DisasterRecovery - recommendationImpact: High + recommendationImpact: Medium recommendationResourceType: Microsoft.NetApp/netAppAccounts/capacityPools/volumes recommendationMetadataState: Active longDescription: | diff --git a/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql b/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql index 4fea8b88b..cf891547a 100644 --- a/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql +++ b/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql @@ -1,35 +1,9 @@ // Azure Resource Graph Query -// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool +// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool, +// and project the name of the impacted backend pool. resources | where type =~ 'Microsoft.Network/loadBalancers' -| extend bep = properties.backendAddressPools -| extend BackEndPools = array_length(bep) -| where BackEndPools == 0 -| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, Param1="backendPools", Param2=toint(0), tags -| union (resources - | where type =~ 'Microsoft.Network/loadBalancers' - | where sku.name == "Standard" - | extend bep = properties.backendAddressPools - | extend BackEndPools = toint(array_length(bep)) - | mv-expand bip = properties.backendAddressPools - | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) - | where toint(BackendAddresses) <= 1 - | project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, tags, Param1="backendAddresses", Param2=toint(BackendAddresses)) -| union ( - resources - | where type =~ 'Microsoft.Network/loadBalancers' - | where sku.name == "Basic" - | mv-expand properties.backendAddressPools - | extend backendPoolId = properties_backendAddressPools.id - | project id, name, tags, tostring(backendPoolId), recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", Param1="BackEndPools" - | join kind = leftouter ( - resources - | where type =~ "Microsoft.Network/networkInterfaces" - | mv-expand properties.ipConfigurations - | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools - | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) - | summarize poolMembers = count() by backendPoolId - | project tostring(backendPoolId), poolMembers ) on backendPoolId - | where toint(poolMembers) <= 1 - | extend BackendAddresses = poolMembers - | project id, name, tags, recommendationId, Param1="backendAddresses", Param2=toint(BackendAddresses)) +| mv-expand bpool = properties.backendAddressPools +| extend BackendAddresses = array_length(bpool.properties.loadBalancerBackendAddresses) +| where BackendAddresses <= 1 +| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081",name=bpool.name,id=strcat(id,"/backendAddressPools/",bpool.name),tags diff --git a/azure-resources/Network/loadBalancers/kql/e5f5fcea-f925-4578-8599-9a391e888a60.kql b/azure-resources/Network/loadBalancers/kql/e5f5fcea-f925-4578-8599-9a391e888a60.kql deleted file mode 100644 index bd8f5e538..000000000 --- a/azure-resources/Network/loadBalancers/kql/e5f5fcea-f925-4578-8599-9a391e888a60.kql +++ /dev/null @@ -1,6 +0,0 @@ -// Azure Resource Graph Query -// List the load balancers which don't have health probe configured -resources -| where type =~ "microsoft.network/loadbalancers" -| where array_length(properties.probes) == 0 -| project recommendationId="e5f5fcea-f925-4578-8599-9a391e888a60", name, id, tags, param1="customHealthProbeUsed: false" diff --git a/azure-resources/Network/loadBalancers/recommendations.yaml b/azure-resources/Network/loadBalancers/recommendations.yaml index e092e65d4..8000055aa 100644 --- a/azure-resources/Network/loadBalancers/recommendations.yaml +++ b/azure-resources/Network/loadBalancers/recommendations.yaml @@ -20,7 +20,7 @@ recommendationTypeId: null recommendationControl: HighAvailability recommendationImpact: High - recommendationResourceType: Microsoft.Network/loadBalancers + recommendationResourceType: Microsoft.Network/loadBalancers/backendAddressPools recommendationMetadataState: Active longDescription: | Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building. @@ -66,19 +66,3 @@ - name: Load Balancer and Availability Zones url: "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant" -- description: Use Health Probes to detect backend instances availability - aprlGuid: e5f5fcea-f925-4578-8599-9a391e888a60 - recommendationTypeId: null - recommendationControl: MonitoringAndAlerting - recommendationImpact: High - recommendationResourceType: Microsoft.Network/loadBalancers - recommendationMetadataState: Active - longDescription: | - Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes that are aligned with vendor recommendations enhances understanding of backend availability and facilitates monitoring of backend services for any impact. - potentialBenefits: Ensures backend uptime monitoring. - pgVerified: true - automationAvailable: true - tags: [] - learnMoreLink: - - name: Load Balancer Health Probe Overview - url: "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview" diff --git a/azure-resources/Network/virtualNetworkGateways/recommendations.yaml b/azure-resources/Network/virtualNetworkGateways/recommendations.yaml index fb1c3cbdf..020115030 100644 --- a/azure-resources/Network/virtualNetworkGateways/recommendations.yaml +++ b/azure-resources/Network/virtualNetworkGateways/recommendations.yaml @@ -102,7 +102,7 @@ - description: Choose a Zone-redundant VPN gateway aprlGuid: 5b1933a6-90e4-f642-a01f-e58594e5aab2 - recommendationTypeId: null + recommendationTypeId: 1afa00b3-bb4c-496d-99e5-b7bda59a057c recommendationControl: HighAvailability recommendationImpact: High recommendationResourceType: Microsoft.Network/virtualNetworkGateways From 6b66e3f8dfabb47e474826c003b80c8ef1c73a7e Mon Sep 17 00:00:00 2001 From: "Rodrigo Reis Santos (AZURE)" Date: Wed, 21 May 2025 10:14:00 -0400 Subject: [PATCH 2/5] commit1 --- .../kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql b/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql index 310a03233..d850eb4cd 100644 --- a/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql +++ b/azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql @@ -1,5 +1,5 @@ // Azure Resource Graph Query -// Find Database for PostgreSQL instances that do not have geo redundant backup storage configured +// Find Virtual Machine capacity reservations and their associated properties advisorresources | where properties.recommendationTypeId =~ '1670c0af-6536-4cbf-872f-152c91a51a80' // RecommendationID from Advisor | mv-expand resId = properties.resourceMetadata.resourceId From 00987d5f040feed8a806e161b06a87984227d0ba Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Wed, 21 May 2025 10:16:46 -0400 Subject: [PATCH 3/5] Update azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql b/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql index c3262f30c..ff1b465bd 100644 --- a/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql +++ b/azure-resources/ContainerService/managedClusters/kql/e620fa98-7a40-41a0-bfc9-b4407297fb58.kql @@ -19,7 +19,7 @@ resources | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5) ) on $left.subnetId == $right.id | project-away id, subnetmask -| where possibleMaxNodeCount >= maxNodes +| where possibleMaxNodeCount <= maxNodes | extend param1 = strcat(nodePoolName, " autoscaler upper limit: ", maxNodes) | extend param2 = strcat("ip addresses on subnet: ", possibleMaxNodeCount) | project recommendationId="e620fa98-7a40-41a0-bfc9-b4407297fb58", name=clusterName, id=clusterId,tags,param1, param2 From 946126c8713e9daed7cb1cddd90f3df9b23361e1 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Wed, 21 May 2025 10:16:56 -0400 Subject: [PATCH 4/5] Update azure-resources/Compute/virtualMachines/recommendations.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- azure-resources/Compute/virtualMachines/recommendations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/Compute/virtualMachines/recommendations.yaml b/azure-resources/Compute/virtualMachines/recommendations.yaml index 7a85dbd07..6c13729d8 100644 --- a/azure-resources/Compute/virtualMachines/recommendations.yaml +++ b/azure-resources/Compute/virtualMachines/recommendations.yaml @@ -145,7 +145,7 @@ When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility. potentialBenefits: Enhanced VM network efficiency pgVerified: true - automationAvailable: True + automationAvailable: true tags: [] learnMoreLink: - name: Accelerated Networking (AccelNet) overview From 00d16768bbb6388e69b39cb2b587e70c10351c91 Mon Sep 17 00:00:00 2001 From: "Rodrigo Reis Santos (AZURE)" Date: Wed, 21 May 2025 11:57:17 -0400 Subject: [PATCH 5/5] updates --- .../89d1166a-1a20-0f46-acc8-3194387bf127.kql | 2 -- .../Network/routeTables/recommendations.yaml | 17 ----------------- 2 files changed, 19 deletions(-) delete mode 100644 azure-resources/Network/routeTables/kql/89d1166a-1a20-0f46-acc8-3194387bf127.kql diff --git a/azure-resources/Network/routeTables/kql/89d1166a-1a20-0f46-acc8-3194387bf127.kql b/azure-resources/Network/routeTables/kql/89d1166a-1a20-0f46-acc8-3194387bf127.kql deleted file mode 100644 index 825659376..000000000 --- a/azure-resources/Network/routeTables/kql/89d1166a-1a20-0f46-acc8-3194387bf127.kql +++ /dev/null @@ -1,2 +0,0 @@ -// under-development - diff --git a/azure-resources/Network/routeTables/recommendations.yaml b/azure-resources/Network/routeTables/recommendations.yaml index 10609da94..331bcc929 100644 --- a/azure-resources/Network/routeTables/recommendations.yaml +++ b/azure-resources/Network/routeTables/recommendations.yaml @@ -14,20 +14,3 @@ learnMoreLink: - name: Azure activity log - Azure Monitor | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell" - -- description: Configure locks for Route Tables to avoid accidental changes or deletion - aprlGuid: 89d1166a-1a20-0f46-acc8-3194387bf127 - recommendationTypeId: null - recommendationControl: Governance - recommendationImpact: Low - recommendationResourceType: Microsoft.Network/routeTables - recommendationMetadataState: Disabled - longDescription: | - As an administrator, you can protect Azure subscriptions, resource groups, or resources from accidental deletions and modifications by setting locks. - potentialBenefits: Prevents accidental edits/deletions - pgVerified: true - automationAvailable: false - tags: [] - learnMoreLink: - - name: Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn - url: "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json"