docs: update APRL for vWAN recommendations

azure-resources/Network/expressRouteGateways/kql/17e8d380-e4b4-41a1-9b37-2e4df9fd5125.kql

@@ -1 +1,28 @@
-// under-development
+// Azure Resource Graph Query
+// Find what Express Route Gateways do not have Monitoring Enabled on a Virtual Hub
+
+resources
+| where type =~ "Microsoft.Network/expressRouteGateways"
+| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+    resources
+    | where type =~ "microsoft.insights/metricalerts"
+    | mv-expand scope = properties.scopes
+    | where scope has "Microsoft.Network/expressRouteGateways"
+    | extend scope = tolower(tostring(scope))
+    | project scope
+) on $left.ergwId == $right.scope
+| where strlen(scope) == 0
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualHubs"
+    | where ['kind'] != 'RouteServer'
+    | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualWans"
+    | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "17e8d380-e4b4-41a1-9b37-2e4df9fd5125", ergwName, ergwId, ergwTags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
+

azure-resources/Network/expressRouteGateways/kql/560a76a7-8f64-4ce3-ad27-d174468861a1.kql

@@ -0,0 +1,21 @@
+// Azure Resource Graph Query
+// Find what Express Route Gateways have allow Non Virtual Wan Traffic enabled
+
+resources
+| where type =~ "Microsoft.Network/expressRouteGateways"
+| where properties.allowNonVirtualWanTraffic == "true"
+| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualHubs"
+    | where ['kind'] != 'RouteServer'
+    | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualWans"
+    | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "560a76a7-8f64-4ce3-ad27-d174468861a1", ergwName, ergwId, ergwTags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
+
+

azure-resources/Network/expressRouteGateways/recommendations.yaml

@@ -30,3 +30,24 @@
   learnMoreLink:
     - name: Virtual WAN Monitoring Best Practices
       url: "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#expressroute-gateway"
+
+- description: Avoid using ExpressRoute circuits for VNet to VNet communication
+  aprlGuid: 560a76a7-8f64-4ce3-ad27-d174468861a1
+  recommendationTypeId: null
+  recommendationControl: High Availability
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Network/expressRouteGateways
+  recommendationMetadataState: Active
+  longDescription: Avoid using ExpressRoute circuits for VNet to VNet communication. Use Virtual WAN to connect VNets in different regions. This feature is enabled at the ExpressRoute circuit level but reflected in the Virtual Wan resource.
+  potentialBenefits: Shortest path between VNETs. Avoids hairpinning traffic through on-premises.
+  pgVerified: false
+  publishedToLearn: false
+  automationAvailable: false
+  tags: null
+  learnMoreLink:
+    - name: Enable or disable VNet to Virtual WAN traffic over ExpressRoute
+      url: "https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-expressroute-portal#enable-or-disable-vnet-to-virtual-wan-traffic-over-expressroute"
+
+    - name: Customization controls for connectivity between Virtual Networks over ExpressRoute
+      url: "https://techcommunity.microsoft.com/t5/azure-networking-blog/customisation-controls-for-connectivity-between-virtual-networks/ba-p/4147722"
+

azure-resources/Network/p2sVpnGateways/kql/fd43ea32-2ccf-49a8-ada4-9a78794e3ff1.kql

@@ -1 +1,26 @@
-// under-development
+// Azure Resource Graph Query
+// Find what Point to Site Gateways do not have Monitoring Enabled on a Virtual Hub
+resources
+| where type =~ "microsoft.network/p2svpngateways"
+| extend p2sgwId = tolower(tostring(id)), p2sgwName = name, p2sgwTags = tags, p2sgwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+    resources
+    | where type =~ "microsoft.insights/metricalerts"
+    | mv-expand scope = properties.scopes
+    | where scope has "microsoft.network/p2svpngateways"
+    | extend scope = tolower(tostring(scope))
+    | project scope
+) on $left.p2sgwId == $right.scope
+| where isnull(scope) or strlen(scope) == 0
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualHubs"
+    | where ['kind'] != 'RouteServer'
+    | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualWans"
+    | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "fd43ea32-2ccf-49a8-ada4-9a78794e3ff1", p2sgwName, p2sgwId, p2sgwTags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)

azure-resources/Network/virtualHubs/kql/30ec8a5e-46de-4323-87e9-a7c56b72813b.kql

@@ -0,0 +1,24 @@
+// Azure Resource Graph Query
+// Find what virtual Hubs do not have Monitoring Enabled.
+
+resources
+| where type =~ "Microsoft.Network/virtualHubs"
+| where ['kind'] != 'RouteServer'
+| extend hubId = tolower(tostring(id)), hubName = name, hubTags = tags, hubLocation = location, vwanId = tolower(tostring(properties.virtualWan.id))
+| join kind=leftouter (
+    resources
+    | where type =~ "microsoft.insights/metricalerts"
+    | mv-expand scope = properties.scopes
+    | where scope has "Microsoft.Network/virtualHubs"
+    | where ['kind'] != 'RouteServer'
+    | extend scope = tolower(tostring(scope))
+    | project scope
+) on $left.hubId == $right.scope
+| where strlen(scope) == 0
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualWans"
+    | extend vwanId = tolower(tostring(id)), vwanName = name
+    | project vwanId, vwanName
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "30ec8a5e-46de-4323-87e9-a7c56b72813b", hubName, hubId, hubTags, param1=strcat("vWAN Name : ",vwanName)

azure-resources/Network/virtualHubs/kql/f29e56a1-6a80-4295-a663-1cce0ea2b10a.kql

@@ -0,0 +1,13 @@
+// Azure Resource Graph Query
+// Find all Virtual WANs with Basic SKU. This is done at the Virtual Hub Resource Provider
+
+resources
+| where type == "microsoft.network/virtualhubs"
+| extend sku = tostring(properties.sku), virtualWanId = tostring(properties.virtualWan.id)
+| where sku == "Basic"
+| join (
+    resources
+    | where type == "microsoft.network/virtualwans"
+    | project id, name, tags
+) on $left.virtualWanId == $right.id
+| project recommendationId = "f29e56a1-6a80-4295-a663-1cce0ea2b10a", name, id = virtualWanId, sku

azure-resources/Network/virtualHubs/recommendations.yaml

@@ -1,3 +1,19 @@
+- description: Migrate from Basic to Standard Virtual WAN
+  aprlGuid: f29e56a1-6a80-4295-a663-1cce0ea2b10a
+  recommendationTypeId: null
+  recommendationControl: Service Upgrade and Retirement
+  recommendationImpact: High
+  recommendationResourceType: Microsoft.Network/virtualHubs
+  recommendationMetadataState: Active
+  longDescription: Basic SKU is not recommended for critical workloads. Standard SKU provides important features Inter-hub and VNet-to-VNet transiting through the virtual hub, ExpressRoute, VPN and Point to Site Gateways, ability to deploy Azure Firewalls and NVAs.
+  potentialBenefits: Full Mesh communication and resiliency
+  pgVerified: false
+  automationAvailable: false
+  tags: null
+  learnMoreLink:
+    - name: Upgrade a virtual WAN from Basic to Standard
+      url: "https://learn.microsoft.com/en-us/azure/virtual-wan/upgrade-virtual-wan"
+
 - description: Monitor health for v-Hubs
   aprlGuid: 30ec8a5e-46de-4323-87e9-a7c56b72813b
   recommendationTypeId: null

azure-resources/Network/virtualWans/_index.md

@@ -1,7 +1,7 @@
 ---
 title: virtualWans
 geekdocCollapseSection: true
-geekdocHidden: true
+geekdocHidden: false
 ---
 
 {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}

azure-resources/Network/vpnGateways/kql/f0d4f766-ac19-48c4-b228-4601cc038baa.kql

@@ -1 +1,27 @@
-// under-development
+// Azure Resource Graph Query
+// Find what VPN Gateways on Virtual WAN do not have Monitoring Enabled.
+
+resources
+| where type =~ "microsoft.network/vpngateways"
+| extend vpngwId = tolower(tostring(id)), vpngwName = name, vpngwTags = tags, vpngwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+    resources
+    | where type =~ "microsoft.insights/metricalerts"
+    | mv-expand scope = properties.scopes
+    | where scope has "Microsoft.Network/vpnGateways"
+    | extend scope = tolower(tostring(scope))
+    | project scope
+) on $left.vpngwId == $right.scope
+| where isnull(scope) or strlen(scope) == 0
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualHubs"
+    | where ['kind'] != 'RouteServer'
+    | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+    resources
+    | where type =~ "Microsoft.Network/virtualWans"
+    | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "f0d4f766-ac19-48c4-b228-4601cc038baa", vpngwName, vpngwId, vpngwTags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)

azure-resources/Network/vpnSites/_index.md

@@ -1,7 +1,7 @@
 ---
 title: vpnSites
 geekdocCollapseSection: true
-geekdocHidden: true
+geekdocHidden: false
 ---
 
 {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}

azure-resources/Network/vpnSites/kql/02bdbdb8-d138-4090-951c-23e45b8700f7.kql

@@ -0,0 +1,16 @@
+// Azure Resource Graph Query
+// Find if Virtual Hub has less than one VPN Site Link
+
+resources
+| where type == "microsoft.network/vpnsites"
+| extend vpnSiteLinks = properties.vpnSiteLinks
+| mv-expand vpnSiteLink = vpnSiteLinks
+| extend virtualWanId = tostring(properties.virtualWan.id)
+| summarize vpnSiteLinksCount = count() by virtualWanId
+| where vpnSiteLinksCount < 2
+| join (
+    resources
+    | where type == "microsoft.network/virtualwans"
+    | project id, name, tags
+) on $left.virtualWanId == $right.id
+| project recommendationId = "02bdbdb8-d138-4090-951c-23e45b8700f7", name, id = virtualWanId, tags, param1 = vpnSiteLinksCount

azure-resources/Network/vpnSites/recommendations.yaml

@@ -0,0 +1,17 @@
+- description: Configure diverse VPN Site links to different VPN concentrators on-premises.
+  aprlGuid: 02bdbdb8-d138-4090-951c-23e45b8700f7
+  recommendationTypeId: null
+  recommendationControl: Disaster Recovery
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Network/vpnSites
+  recommendationMetadataState: Active
+  longDescription: Deploying active-active VPN concentrators leverages the High Availability capabilities of the VPN Gateway on Virtual Hubs using a fully-meshed topology with four IPSec tunnels.
+  potentialBenefits: Fault tolerance and high availability.
+  pgVerified: false
+  publishedToLearn: false
+  automationAvailable: false
+  tags: null
+  learnMoreLink:
+    - name: vWAN VPN Gateway Disaster Recovery
+      url: "https://learn.microsoft.com/en-us/azure/virtual-wan/disaster-recovery-design#multi-link-topology"
+