Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//ThisquerywillreturnallApplicationGatewaysthatdonothaveautoscaleenabledorhaveamincapacityof1resources|wheretype=~"microsoft.network/applicationGateways"|whereisnull(properties.autoscaleConfiguration)orproperties.autoscaleConfiguration.minCapacity<=1|projectrecommendationId="823b0cff-05c0-2e4e-a1e7-9965e1cfa16f",name,id,tags,param1="autoScaleConfiguration: isNull or MinCapacity <= 1"|orderbyidasc
Secure all incoming connections with SSL
Impact:HighCategory:Security
APRL GUID:233a7008-71e9-e745-923e-1a1c7a0b92f3
Description:
Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.
Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.
Deploy Application Gateway in a zone-redundant configuration
Impact:HighCategory:High Availability
APRL GUID:c9c00f2a-3888-714b-a72b-b4c9e8fcffb2
Description:
Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//listApplicationGatewaysthatarenotconfiguredtouseatleast2AvailabilityZonesresources|wheretype=~"microsoft.network/applicationGateways"|wherelocationin~("australiaeast","brazilsouth","canadacentral","centralindia","centralus","eastasia","eastus","eastus2","francecentral","germanywestcentral","israelcentral","italynorth","japaneast","japanwest","koreacentral","mexicocentral","newzealandnorth","northeurope","norwayeast","polandcentral","qatarcentral","southafricanorth","southcentralus","southeastasia","spaincentral","swedencentral","switzerlandnorth","uaenorth","uksouth","westeurope","westus2","westus3","usgovvirginia","chinanorth3")|whereisnull(zones)orarray_length(zones)<2|extendzoneValue=iff((isnull(zones)),"null",zones)|projectrecommendationId="c9c00f2a-3888-714b-a72b-b4c9e8fcffb2",name,id,tags,param1="Zones: No Zone or Zonal",param2=strcat("Zones value: ",zoneValue)
Plan for backend maintenance by using connection draining
Impact:MediumCategory:High Availability
APRL GUID:10f02bc6-e2e7-004d-a2c2-f9bf9f16b915
Description:
Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.
Ensure Application Gateway Subnet is using a /24 subnet mask
Impact:HighCategory:Other Best Practices
APRL GUID:8364fd0a-7c0e-e240-9d95-4bf965aec243
Description:
Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.