virtualNetworkGateways
Summary
Details
Connect ExpressRoute gateway with circuits from diverse peering locations
Impact: High Category: High Availability
APRL GUID: d37db635-157f-584d-9bce-4f6fc8c65ce5
Description:
For improved reliability, each ExpressRoute gateway should connect to at least two circuits, with each circuit sourced from a different peering location. This setup ensures diverse connectivity paths, enhancing resilience and minimizing service disruption risks.
Potential Benefits:
Enhanced resilience through diverse connectivity paths
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of ExpressRoute Gateways that are not connected to two or more ExpressRoute Circuits. Baremetal circuits are excluded from consideration
//This query assumes that the running entity has visibilty to the gateway, connection, and circuit scopes.
//Start with a full list of gateways
(resources
| where type == "microsoft.network/virtualnetworkgateways"
| where properties.gatewayType == "ExpressRoute"
| extend exrGatewayId = tolower(tostring(id))
| join kind=inner(
resources
| where type == "microsoft.network/virtualnetworkgateways"
| where properties.gatewayType == "ExpressRoute"
| extend exrGatewayId = tolower(tostring(id))
| join kind=leftouter(
//connections joined with circuit peer info
resources
| where type == "microsoft.network/connections"
| extend connectionType = properties.connectionType
| extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))
| extend peerId = tolower(tostring(properties.peer.id))
| extend connectionId = tolower(tostring(id))
| where connectionType == "ExpressRoute"
| join kind=leftouter(
resources
| where type == "microsoft.network/expressroutecircuits"
//should this be location instead of peeringLocation
| extend circuitId = tolower(tostring(id))
| extend peeringLocation = tostring(properties.serviceProviderProperties.peeringLocation)
| extend peerId = tolower(id)
) on peerId ) on exrGatewayId
//remove bare metal services connections/circuits
| where not(isnotnull(connectionId) and isnull(sku1))
//group by gateway ID's and peering locations
| summarize by exrGatewayId, peeringLocation
//summarize to connections with fewer than two unique connections
| summarize connCount = count() by exrGatewayId
| where connCount < 2) on exrGatewayId
| project recommendationId = "d37db635-157f-584d-9bce-4f6fc8c65ce5", name, id, tags, param1 = "twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false")
| union
(
resources
| where type == "microsoft.network/virtualnetworkgateways"
| where properties.gatewayType == "ExpressRoute"
| extend exrGatewayId = tolower(tostring(id))
| join kind=leftouter(
//connections joined with circuit peer info
resources
| where type == "microsoft.network/connections"
| extend connectionType = properties.connectionType
| extend exrGatewayId = tolower(tostring(properties.virtualNetworkGateway1.id))
| extend peerId = tolower(tostring(properties.peer.id))
| extend connectionId = tolower(tostring(id))
| where connectionType == "ExpressRoute") on exrGatewayId
| where isnull(connectionType)
| project recommendationId = "d37db635-157f-584d-9bce-4f6fc8c65ce5", name, id, tags, param1 = "twoOrMoreCircuitsConnectedFromDifferentPeeringLocations: false", param2 = "noConnectionsOnGateway: true"
)
Use Zone-redundant ExpressRoute gateway SKUs
Impact: High Category: High Availability
APRL GUID: bbe668b7-eb5c-c746-8b82-70afdedf0cae
Description:
Azure ExpressRoute gateway offers variable SLAs based on deployment in single or multiple availability zones. To deploy virtual network gateways across zones automatically, use zone-redundant gateways for accessing critical, scalable services with increased resilience.
Potential Benefits:
Enhanced SLA and resilience
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// For all VNGs of type ExpressRoute, show all that are not zone redundant (Zonal or Regional)
advisorresources
| where properties.recommendationTypeId =~ 'c9af1ef6-55bc-48af-bfe4-2c80490159f8' // RecommendationID from Advisor
| mv-expand resId = properties.resourceMetadata.resourceId
| extend resId = tostring(resId)
| project recId = properties.recommendationTypeId, resId
| join kind=leftouter (
resources
| extend id = tostring(id)
| project id, name, tags, location, properties
) on $left.resId == $right.id
| project recommendationId = "bbe668b7-eb5c-c746-8b82-70afdedf0cae", name , resId, tags, param1 = strcat("sku-tier: ", properties.sku.tier), param2 = location,param3 = "Non Zone-Redundant GW"
Configure an Azure Resource lock for ExpressRoute gateway to prevent accidental deletion
Impact: Medium Category: High Availability
APRL GUID: c0f23a92-d322-4d4d-97e9-a238b5e3bbb8
Description:
Configuring an Azure Resource lock for ExpressRoute gateway prevents accidental deletion by enabling administrators to lock an Azure subscription, resource group, or resource, thereby protecting them from unintended user deletions and modifications, with the lock overriding all user permissions.
Potential Benefits:
Prevents accidental deletions
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Monitor health for ExpressRoute gateway
Impact: High Category: Monitoring and Alerting
APRL GUID: 1c34faa8-8b99-974c-adbf-71922eae943c
Description:
Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability.
Potential Benefits:
Enhanced monitoring and alerting
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Avoid using ExpressRoute circuits for VNet to VNet communication
Impact: Medium Category: High Availability
APRL GUID: 194c14ac-0d7a-5a48-ae32-75fa450ee564
Description:
While multiple VNets can connect via the same ExpressRoute gateway, Microsoft recommends using alternatives like VNet peering, Azure Firewall, NVA, Azure Route Server, site-to-site VPN, virtual WAN, or SD-WAN for VNet-to-VNet communication to optimize network performance and management.
Potential Benefits:
Enhanced VNet integration efficiency
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Configure customer-controlled ExpressRoute gateway maintenance
Impact: High Category: High Availability
APRL GUID: 3e115044-a3aa-433e-be01-ce17d67e50da
Description:
ExpressRoute gateways are updated for improved functionality, reliability, performance, and security. Customer-controlled maintenance configuration and scheduling minimize update impact and align with your maintenance windows.
Potential Benefits:
Minimizes update impact
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Virtual Network Gateways without Maintenance Configurations
resources
| where type =~ "Microsoft.Network/virtualNetworkGateways"
| extend resourceId = tolower(id)
| join kind=leftouter (
maintenanceresources
| where type =~ "Microsoft.Maintenance/configurationAssignments"
| project JsonData = parse_json(properties)
| extend maintenanceConfigurationId = tolower(tostring(JsonData.maintenanceConfigurationId))
| join kind=inner (
resources
| where type =~ "Microsoft.Maintenance/maintenanceConfigurations"
| project maintenanceConfigurationId=tolower(id)
) on maintenanceConfigurationId
| project maintenanceConfigurationId, resourceId=tolower(tostring(JsonData.resourceId))
) on resourceId
| where isempty(maintenanceConfigurationId)
| project recommendationId = "3e115044-a3aa-433e-be01-ce17d67e50da", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
Choose a Zone-redundant VPN gateway
Impact: High Category: High Availability
APRL GUID: 5b1933a6-90e4-f642-a01f-e58594e5aab2
Description:
Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.
Potential Benefits:
Enhanced reliability and scalability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// For all VNGs of type Vpn, show any that do not have AZ in the SKU tier
resources
| where type =~ "Microsoft.Network/virtualNetworkGateways"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where properties.gatewayType == "Vpn"
| where properties.sku.tier !contains 'AZ'
| project recommendationId = "5b1933a6-90e4-f642-a01f-e58594e5aab2", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
| order by id asc
Enable Active-Active VPN Gateways for redundancy
Impact: Medium Category: High Availability
APRL GUID: 281a2713-c0e0-3c48-b596-19f590c46671
Description:
The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.
Potential Benefits:
Enhanced reliability and network capacity
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Identifies non-active-active VPN type virtual network gateways
resources
| where type =~ 'Microsoft.Network/virtualNetworkGateways'
| where properties.gatewayType =~ "vpn"
| extend gatewayType = properties.gatewayType, vpnType = properties.vpnType, connections = properties.connections, activeactive=properties.activeActive
| where activeactive == false
| project recommendationId = "281a2713-c0e0-3c48-b596-19f590c46671", name, id, tags
Deploy active-active VPN concentrators on your premises for maximum resiliency with VPN gateways
Impact: High Category: Disaster Recovery
APRL GUID: af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70
Description:
Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.
Potential Benefits:
Maximizes resilience and availability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Monitor VPN gateway connections and health
Impact: High Category: Monitoring and Alerting
APRL GUID: 9eab120e-f6d3-ee49-ba0d-766562ce7df1
Description:
Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.
Potential Benefits:
Improved uptime and issue awareness
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Enable VPN gateway service health
Impact: High Category: Monitoring and Alerting
APRL GUID: 9186dae0-7ddc-8f4b-bea5-55538cea4893
Description:
VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.
Potential Benefits:
Improves VPN maintenance alerts
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)
Impact: High Category: High Availability
APRL GUID: 4bae5a28-5cf4-40d9-bcf1-623d28f6d917
Description:
For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.
Potential Benefits:
Enhanced reliability and disaster recovery
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs
resources
| where type =~ "Microsoft.Network/virtualNetworkGateways"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where properties.gatewayType == "Vpn"
| where properties.sku.tier contains 'AZ'
| mv-expand ipconfig = properties.ipConfigurations
| extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
| join kind=inner (
resources
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where type == "microsoft.network/publicipaddresses"
| where isnull(zones) or array_length(zones) < 3 )
on $left.pipId == $right.id
| project recommendationId = "4bae5a28-5cf4-40d9-bcf1-623d28f6d917", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)