applicationGateways
Summary
Details
Ensure Autoscale feature has been enabled
Impact: Medium Category: Scalability PG Verified: Verified
APRL GUID: 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f
Description:
Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
Potential Benefits:
Enhances uptime and enables autoscaling
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
resources
| where type =~ "microsoft.network/applicationGateways"
| where isnull(properties.autoscaleConfiguration) or properties.autoscaleConfiguration.minCapacity <= 1
| project recommendationId = "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f", name, id, tags, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
| order by id asc
Secure all incoming connections with SSL
Impact: High Category: Security PG Verified: Verified
APRL GUID: 233a7008-71e9-e745-923e-1a1c7a0b92f3
Description:
Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.
Potential Benefits:
Enhanced security and privacy
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// You can use the following Azure Resource Graph query to check if an HTTP rule is using an SSL certificate or is using Azure Key Vault to store the certificates
resources
| where type =~ "microsoft.network/applicationGateways"
| mv-expand frontendPorts = properties.frontendPorts
| mv-expand httpListeners = properties.httpListeners
| where isnull(parse_json(httpListeners.properties.sslCertificate))
| project recommendationId="233a7008-71e9-e745-923e-1a1c7a0b92f3", name, id, tags, param1=strcat("frontendPort: ", frontendPorts.properties.port), param2="tls: false"
Enable Web Application Firewall policies
Impact: Low Category: Security PG Verified: Verified
APRL GUID: 8d9223c4-730d-ca47-af88-a9a024c37270
Description:
Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
Potential Benefits:
Enhanced security for HTTP/S traffic
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This query will return all Application Gateways that do not have WAF enabled
Resources
| where type =~ "microsoft.network/applicationGateways"
| where properties.firewallpolicy != ""
| project recommendationId = "8d9223c4-730d-ca47-af88-a9a024c37270", name, id, tags, param1 = "webApplicationFirewallConfiguration: isNull"
| order by id asc
Migrate to Application Gateway v2
Impact: High Category: Scalability PG Verified: Verified
APRL GUID: 7893f0b3-8622-1d47-beed-4b50a19f7895
Description:
Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.
Potential Benefits:
Better performance, autoscaling, more features
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Get all Application Gateways, which are using the deprecated V1 SKU
resources
| where type =~ 'microsoft.network/applicationgateways'
| extend tier = properties.sku.tier
| where tier == 'Standard' or tier == 'WAF'
| project recommendationId = "7893f0b3-8622-1d47-beed-4b50a19f7895", name, id, tags
Monitor and Log the configurations and traffic
Impact: High Category: Monitoring and Alerting PG Verified: Verified
APRL GUID: 5d035919-898d-a047-8d5d-454e199692e5
Description:
Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud.
Potential Benefits:
Enhanced traffic insight and audit
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Use Health Probes to detect backend availability
Impact: High Category: Monitoring and Alerting PG Verified: Verified
APRL GUID: 847a8d88-21c4-bc48-a94e-562206edd767
Description:
Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.
Potential Benefits:
Ensures backend uptime monitoring.
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Application Gateways are not using health probes to monitor the availability of the backend systems
resources
| where type =~ "microsoft.network/applicationGateways"
| where array_length(properties.probes) == 0
| project recommendationId="847a8d88-21c4-bc48-a94e-562206edd767", name, id, tags, param1="customHealthProbeUsed: false"
Deploy Application Gateway in a zone-redundant configuration
Impact: High Category: High Availability PG Verified: Verified
APRL GUID: c9c00f2a-3888-714b-a72b-b4c9e8fcffb2
Description:
Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.
Potential Benefits:
Enhanced uptime and customer access
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// list Application Gateways that are not configured to use at least 2 Availability Zones
resources
| where type =~ "microsoft.network/applicationGateways"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isnull(zones) or array_length(zones) < 2
| extend zoneValue = iff((isnull(zones)), "null", zones)
| project recommendationId = "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue )
Plan for backend maintenance by using connection draining
Impact: Medium Category: High Availability PG Verified: Verified
APRL GUID: 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915
Description:
Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.
Potential Benefits:
Smooth updates, no dropped users
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This query will check if connection draining is enabled
resources
| where type =~ "microsoft.network/applicationGateways"
| mv-expand backendHttpSettings = properties.backendHttpSettingsCollection
| extend connectionDrainingEnabled = backendHttpSettings.properties.connectionDraining.enabled
| where connectionDrainingEnabled != true
| extend backendPoolName = backendHttpSettings.name
| project recommendationId = "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915", name, id, tags, param1 = "connectionDraining: Disabled", param2 = strcat("backendSettingsName: ", backendPoolName)
Ensure Application Gateway Subnet is using a /24 subnet mask
Impact: High Category: Other Best Practices PG Verified: Verified
APRL GUID: 8364fd0a-7c0e-e240-9d95-4bf965aec243
Description:
Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.
Potential Benefits:
Allows autoscaling and maintenance
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// This query will validate the subnet id for an appGW ends with a /24
resources
| where type =~ 'Microsoft.Network/applicationGateways'
| extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
| join kind=leftouter(resources
| where type == "microsoft.network/virtualnetworks"
| mv-expand properties.subnets
| extend subnetid = tostring(properties_subnets.id)
| extend addressprefix = tostring(properties_subnets.properties.addressPrefix)
| project subnetid, addressprefix) on subnetid
| where addressprefix !endswith '/24'
| project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)