Professional Documents
Culture Documents
Review Checklist
Review Checklist
Items
Identity and Access Network Topology and Connectivity Security, Governance and Compliance
Management and Monitoring Management Group and Subscriptions Operations
Identity and Access Network Topology and Connectivity Security, Governance and Compliance
Management and Monitoring Management Group and Subscriptions Operations
188 0 0 0 0 188
Not ve
hnology)
Category
Identity a
Network To
Security,
Managemen
Managemen
Operations
50%
0%
Operations
ce and Compliance
Management Group and
High Medium Low
Operations
ce and Compliance
Management Group and
High Medium Low
Status (overall) Status (High)
Status (Medium)
Status (Low)
Not verifieOpen Closed Total Progress
15 0 0 15 0%
88 0 0 88 0%
44 0 0 44 0%
22 0 0 22 0%
16 0 0 16 0%
Not verified Open Fulfilled
3 0 0 3 0%
Not required N/A
188 0 0 188 0%
50%
Status (Medium)
Status (Low)
Review
Checklist item
Implement for emergency access or break-glass accounts to prevent tenant-wide account lockout
Enforce a RBAC model for management groups, subscriptions, resource groups and resources
Enforce Azure AD conditional-access policies for any user with rights to Azure environments
Enforce multi-factor authentication for any user with rights to the Azure environments
Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based
Enforce Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege
Only use the authentication type Work or school account for all account types. Avoid using the Microsoft accoun
Only use groups to assign permissions. Add on-premises groups to the Azure-AD-only group if a group managem
Consider using Azure custom roles for the following key roles: Azure platform owner, network management, secu
If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them
If Azure Active Directory Domains Services (AADDS) is in use, deploy AADDS within the primary region because th
If AADDS in use, evaluate the compatibility of all workloads
If AD on Windows server in use, can all required resources access correct domain controller?
Consider using Azure AD Application Proxy as a VPN or reverse proxy replacement to give remote users secure a
Avoid using on-premises synced accounts for Azure AD role assignments.
Enforce reasonably flat management group hierarchy with no more than three to four levels, ideally
Enforce or appended resource tags through Azure Policy
Enforce a sandbox management group to allow users to immediately experiment with Azure
Enforce a platform management group under the root management group to support common platform policy a
Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN h
Enforce no subscriptions are placed under the root management group
Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC author
Enforce management groups under the root-level management group to represent the types of workloads, based
Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review
Ensure that all subscription owners and IT core team are aware of subscription resource limitations as part of wor
Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enfor
Enforce a dashboard, workbook, or manual process to monitor used capacity levels
Ensure required services and features are available within the chosen deployment regions
Enforce a process for cost management
If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host
Ensure tags are used for billing and cost management
Add diagnostic settings to save your Azure Front Door WAF's logs. Regularly review the logs to check for attacks
Send Azure Front Door logs to Microsoft Sentinel. Detect attacks and integrate Front Door telemetry into your ov
Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access contro
Is the landing zone documented?
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write
Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organiz
Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit c
Use Update Management in Azure Automation as a long-term patching mechanism for both Windows and Linux
Use Network Watcher to proactively monitor traffic flows
Use resource locks to prevent accidental deletion of critical shared services.
Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assign
Include service and resource health events as part of the overall platform monitoring solution. Tracking service an
Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can b
Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in A
Use a centralized Azure Monitor Log Analytics workspace to collect logs and metrics from IaaS and PaaS applicat
Use Azure Monitor Logs for insights and reporting.
When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage
Use Azure Monitor alerts for the generation of operational alerts.
Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to rep
Ensure to use and test native PaaS service disaster recovery capabilities.
Use Azure-native backup capabilities. Verify that partner/customer is aware of Azure Backup and all new capabilit
Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting config
Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).
For secure delivery of HTTP/S apps, ensure that WAF protection and policies are enabled in your Application Gate
Ensure you are using Application Gateway v2 SKU
Use a partner NVA if you can't use Application Gateway v2 for the security of HTTP/S apps.
Deploy Azure Application Gateway v2 or partner NVAs used for inbound HTTP/S connections within the landing-
Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.
Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions.
When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lo
Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.
If users only need access to internal applications, has Azure AD Application Proxy been considered as an alternati
To reduce the number of firewall ports open for incoming connections in your network, consider using Azure AD
When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level betwe
For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to e
Avoid combining Azure Traffic Manager and Azure Front Door.
Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs
Disable health probes when there�s only one origin in an Azure Front Door origin group.
Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of yo
Use HEAD health probes with Azure Front Door. Reduce the traffic that Front Door sends to your application.
Consider a network design based on the traditional hub-and-spoke network topology for the following scenarios
Ensure that shared services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs
When deploying partner networking technologies or NVAs, follow the partner vendor's guidance
Do not deploy inbound L7 services such as Azure Application Gateway as a shared service in the central-hub virtu
If you need transit between ExpressRoute and VPN gateways, use Azure Route Server.
For network architectures with multiple hub-and-spoke topologies across Azure regions, use Global Virtual Netw
When you deploy a hub-and-spoke network architecture in two Azure regions and transit connectivity between a
Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.
When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits and the
Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings
Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.
When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with
Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Dir
When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable Fa
Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redunda
Use ExpressRoute Global Reach to connect large offices, regional headquarters, or datacenters connected to Azu
When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction
Monitor ExpressRoute availability and utilization using built-in Azure Monitor metrics.
Use Connection Monitor for connectivity monitoring across the environment.
Don't explicitly use ExpressRoute circuits from a single peering location. Doing so creates a single point of failure
Ensure no overlapping IP address spaces across Azure regions and on-premises locations
Ensure to use IP addresses from the address allocation for private internets (RFC 1918).
Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)
Ensure no public IP address range (CIDR block) for VNETs, especially if not owned by your organization
Avoid using overlapping IP address ranges for production and DR sites.
For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution. Crea
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructu
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred
Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual m
Use Network Watcher packets to capture despite the limited capture window.
Use partner solutions for scenarios that require deep packet inspection.
Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/W
Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub
Create a global Azure Firewall policy to govern security posture across the global network environment and assig
Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use suc
Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet.
Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S co
When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in A
If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network
Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual n
If you need private communication to PaaS services, consider the different options available.
Azure PaaS services that have been injected into a virtual network still perform management plane operations by
Use Private Link, where available, for shared Azure PaaS services.
Access Azure PaaS services from on-premises via ExpressRoute private peering. This method avoids transiting ov
Use virtual network service endpoints when Private Link isn't available
Don't enable virtual network service endpoints by default on all subnets.
Don't use virtual network service endpoints when there are data exfiltration concerns, unless you use NVA filterin
Don't implement forced tunneling to enable communication from Azure to Azure resources.
Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.
Delegate subnet creation to the landing zone owner.
Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between la
The application team should use application security groups at the subnet-level NSGs to help protect multi-tier V
Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a cen
Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.
Use NSGs to selectively allow connectivity between landing zones.
For Virtual WAN topologies, route traffic across landing zones via Azure Firewall if the organization requires filter
Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly des
Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a c
Use Virtual Hub Routing features to further segment traffic between VNets and branches.
Connect Virtual WAN hubs to on-premises datacenters by using ExpressRoute
Connect branches and remote locations to the nearest Virtual WAN hub via Site-to-Site VPN, or enable branch co
Connect users to the Virtual WAN hub via a Point-to-Site VPN.
Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via th
For outbound Internet traffic protection and filtering, deploy Azure Firewall
When deploying partner networking technologies and NVAs in VWAN, verify configuration with partner vendor's
Ensure that Azure Virtual WAN and Azure Firewall resources are created in the connectivity subscription.
Ensure that the network architecture is within the Azure Virtual WAN limits.
Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and
Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certifica
If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce th
Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new ruleset
Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Fro
Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS req
Enable the Azure Front Door WAF. Protect your application from a range of attacks.
Tune the Azure Front Door WAF for your workload. Reduce false positive detections.
Use prevention mode with the Azure Front Door WAF. Prevention mode ensures that the WAF blocks malicious re
Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.
Enable the Azure Front Door WAF bot management rules. The bot rules detect good and bad bots.
Use the latest Azure Front Door WAF ruleset versions. Ruleset updates are regularly updated to take account of th
Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending la
Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate tr
Geo-filter traffic by using the Azure Front Door WAF. Allow traffic only from expected regions, and block traffic fr
Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally b
Leverage Azure Policy
Identify required Azure tags and use the append policy mode to enforce usage.
Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherit
Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required
Use Azure Policy to control which services users can provision at the subscription/management group level
Use built-in policies where possible to minimize operational overhead.
Assign the built-in Policy Contributor role at a particular scope to enable application-level governance.
Limit the number of Azure Policy assignments made at the root management group scope to avoid managing th
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a complia
Monitor VM security configuration drift via Azure Policy.
Use Azure Key Vault to store your secrets and credentials
Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for delete
Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to sp
Automate the certificate management and renewal process with public certificate authorities to ease administrati
Establish an automated process for key and certificate rotation.
Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key
Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within
Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant con
Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when
Use an Azure Key Vault per application per environment per region.
If you want to bring your own keys, this might not be supported across all considered services. Implement relevan
Use Azure AD reporting capabilities to generate access control audit reports.
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-t
Enable Defender for Cloud Standard for all subscriptions.
Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.
Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.
Determine the incident response plan for Azure services before allowing it into production.
Implement a zero-trust approach for access to the Azure platform, where appropriate.
Plan how new azure services will be implemented
Plan how service request will be fulfilled for Azure services
Landing Zone English
Comment
anced