forked from Azure/review-checklists
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathavs_checklist.zh-Hant.json
1151 lines (1151 loc) · 44.6 KB
/
avs_checklist.zh-Hant.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"categories": [
{
"name": "身份"
},
{
"name": "聯網"
},
{
"name": "統轄"
},
{
"name": "管理"
},
{
"name": "BCDR的"
},
{
"name": "平臺自動化"
}
],
"items": [
{
"category": "身份",
"guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
"id": "A01.01",
"service": "AVS",
"severity": "高",
"subcategory": "身份",
"text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器",
"waf": "安全"
},
{
"category": "身份",
"guid": "75089c20-990d-4927-b105-885576f76fc2",
"id": "A01.02",
"service": "AVS",
"severity": "中等",
"subcategory": "身份",
"text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源(包括 Azure VMware 解決方案)的身份驗證請求保留到 Azure 本地",
"waf": "安全"
},
{
"category": "身份",
"guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
"id": "A01.03",
"service": "AVS",
"severity": "高",
"subcategory": "身份",
"text": "確保 vCenter 已連接到 ADDS,以啟用基於「指定用戶帳戶」的身份驗證",
"waf": "安全"
},
{
"category": "身份",
"guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
"id": "A01.04",
"service": "AVS",
"severity": "中等",
"subcategory": "身份",
"text": "確保從 vCenter 到 ADDS 的連接使用安全協定 (LDAPS)",
"waf": "安全"
},
{
"category": "身份",
"guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
"id": "A01.05",
"service": "AVS",
"severity": "中等",
"subcategory": "身份",
"text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 (break-glass)",
"waf": "安全"
},
{
"category": "身份",
"guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
"id": "A01.06",
"service": "AVS",
"severity": "高",
"subcategory": "身份",
"text": "確保 NSX-Manager 與外部身份提供程式 (LDAPS) 集成",
"waf": "安全"
},
{
"category": "身份",
"guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
"id": "A01.07",
"service": "AVS",
"severity": "中等",
"subcategory": "身份",
"text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用",
"waf": "安全"
},
{
"category": "身份",
"guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
"id": "A01.08",
"service": "AVS",
"severity": "中等",
"subcategory": "身份",
"text": "RBAC 許可權應授予 ADDS 組,而不是特定使用者",
"waf": "安全"
},
{
"category": "身份",
"guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
"id": "A01.09",
"service": "AVS",
"severity": "高",
"subcategory": "身份",
"text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者",
"waf": "安全"
},
{
"category": "身份",
"guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
"id": "A01.10",
"service": "AVS",
"severity": "高",
"subcategory": "身份",
"text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權",
"waf": "安全"
},
{
"category": "聯網",
"guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
"id": "B01.01",
"link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
"service": "AVS",
"severity": "高",
"subcategory": "建築",
"text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型",
"waf": "性能"
},
{
"category": "聯網",
"guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
"id": "B02.01",
"service": "AVS",
"severity": "高",
"subcategory": "監測",
"text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接",
"waf": "操作"
},
{
"category": "聯網",
"guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
"id": "B02.02",
"service": "AVS",
"severity": "中等",
"subcategory": "監測",
"text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視 Azure VMware 解決方案後端 ExpressRoute 連接",
"waf": "操作"
},
{
"category": "聯網",
"guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
"id": "B02.03",
"service": "AVS",
"severity": "中等",
"subcategory": "監測",
"text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視端到端連接",
"waf": "操作"
},
{
"category": "聯網",
"guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
"id": "B03.01",
"service": "AVS",
"severity": "高",
"subcategory": "路由",
"text": "使用路由伺服器時,請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個(ARS 限制)。",
"waf": "操作"
},
{
"category": "統轄",
"guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
"id": "C01.01",
"service": "AVS",
"severity": "高",
"subcategory": "安全性(標識)",
"text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management(不允許長期許可權)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
"id": "C01.02",
"service": "AVS",
"severity": "高",
"subcategory": "安全性(標識)",
"text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告",
"waf": "安全"
},
{
"category": "統轄",
"guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
"id": "C01.03",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(標識)",
"text": "如果使用 Privileged Identity Management,請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶,以便 Azure VMware 解決方案自動主機更換通知。(需要長期許可)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
"id": "C01.04",
"service": "AVS",
"severity": "高",
"subcategory": "安全性(標識)",
"text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問",
"waf": "安全"
},
{
"category": "統轄",
"guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
"id": "C01.05",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(標識)",
"text": "在 vCenter 中創建自定義 RBAC 角色,以在 vCenter 中實施最小特權模型",
"waf": "安全"
},
{
"category": "統轄",
"guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
"id": "C01.06",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(標識)",
"text": "是定義為定期輪換 cloudadmin (vCenter) 和管理員 (NSX) 憑據的過程",
"waf": "安全"
},
{
"category": "統轄",
"guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
"id": "C01.07",
"service": "AVS",
"severity": "高",
"subcategory": "安全性(標識)",
"text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 (VM)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
"id": "C02.01",
"service": "AVS",
"severity": "中等",
"subcategory": "安全(網路)",
"text": "是否在 NSX-T 中實施了東西向流量篩選",
"waf": "安全"
},
{
"category": "統轄",
"guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
"id": "C02.02",
"service": "AVS",
"severity": "高",
"subcategory": "安全(網路)",
"text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查",
"waf": "安全"
},
{
"category": "統轄",
"guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
"id": "C02.03",
"service": "AVS",
"severity": "高",
"subcategory": "安全(網路)",
"text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄",
"waf": "安全"
},
{
"category": "統轄",
"guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
"id": "C02.04",
"service": "AVS",
"severity": "中等",
"subcategory": "安全(網路)",
"text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視,以識別可疑/惡意活動",
"waf": "安全"
},
{
"category": "統轄",
"guid": "334fdf91-c234-4182-a652-75269440b4be",
"id": "C02.05",
"service": "AVS",
"severity": "中等",
"subcategory": "安全(網路)",
"text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護",
"waf": "安全"
},
{
"category": "統轄",
"guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
"id": "C02.06",
"service": "AVS",
"severity": "中等",
"subcategory": "安全(網路)",
"text": "使用專用特權訪問工作站 (PAW) 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager",
"waf": "安全"
},
{
"category": "統轄",
"guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
"id": "C03.01",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(來賓/VM)",
"text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測(Microsoft Defender for Cloud,又名 ASC)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
"id": "C03.02",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(來賓/VM)",
"text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載(適用於 Azure VMware 解決方案的 Azure ARC 尚不可用)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
"id": "C03.03",
"service": "AVS",
"severity": "低",
"subcategory": "安全性(來賓/VM)",
"text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密(如來賓內磁碟加密和 SQL TDE)。(vSAN 靜態加密為預設加密)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "a3592718-e6e2-4051-9267-6ae46691e883",
"id": "C03.04",
"service": "AVS",
"severity": "低",
"subcategory": "安全性(來賓/VM)",
"text": "使用來賓內加密時,請盡可能將加密密鑰存儲在 Azure Key Vault 中",
"waf": "安全"
},
{
"category": "統轄",
"guid": "5ac94222-3e13-4810-9230-81a941741583",
"id": "C03.05",
"service": "AVS",
"severity": "中等",
"subcategory": "安全性(來賓/VM)",
"text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援(Azure VMware 解決方案符合 ESU 條件)",
"waf": "安全"
},
{
"category": "統轄",
"guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
"id": "C04.01",
"service": "AVS",
"severity": "高",
"subcategory": "治理(平臺)",
"text": "確保使用適當的 vSAN 資料冗餘方法(RAID 規範)",
"waf": "可靠性"
},
{
"category": "統轄",
"guid": "d88408f3-7273-44c8-96ba-280214590146",
"id": "C04.02",
"service": "AVS",
"severity": "高",
"subcategory": "治理(平臺)",
"text": "確保允許失敗策略已到位,以滿足您的 vSAN 儲存需求",
"waf": "可靠性"
},
{
"category": "統轄",
"guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
"id": "C04.03",
"service": "AVS",
"severity": "高",
"subcategory": "治理(平臺)",
"text": "確保已請求足夠的配額,確保已考慮增長和災難恢復要求",
"waf": "可靠性"
},
{
"category": "統轄",
"guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
"id": "C04.04",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(平臺)",
"text": "確保瞭解對 ESXi 的訪問限制,其中存在可能影響第三方解決方案的訪問限制。",
"waf": "操作"
},
{
"category": "統轄",
"guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
"id": "C04.05",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(平臺)",
"text": "確保您制定了有關ESXi主機密度和效率的策略,並牢記請求新節點的提前期",
"waf": "操作"
},
{
"category": "統轄",
"guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
"id": "C04.06",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(平臺)",
"text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理",
"waf": "成本"
},
{
"category": "統轄",
"guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
"id": "C04.07",
"service": "AVS",
"severity": "低",
"subcategory": "治理(平臺)",
"text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本",
"waf": "成本"
},
{
"category": "統轄",
"guid": "6691e883-5ac9-4422-83e1-3810523081a9",
"id": "C04.08",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(平臺)",
"text": "使用其他 Azure 本機服務時,請考慮使用 Azure 專用連結",
"waf": "安全"
},
{
"category": "統轄",
"guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
"id": "C04.09",
"service": "AVS",
"severity": "高",
"subcategory": "治理(平臺)",
"text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中",
"waf": "性能"
},
{
"category": "統轄",
"guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
"id": "C05.01",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(來賓/VM)Governance (guest/VM)",
"text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud",
"waf": "安全"
},
{
"category": "統轄",
"guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
"id": "C05.02",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(來賓/VM)Governance (guest/VM)",
"text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載",
"waf": "安全"
},
{
"category": "統轄",
"guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
"id": "C05.03",
"service": "AVS",
"severity": "高",
"subcategory": "治理(來賓/VM)Governance (guest/VM)",
"text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄",
"waf": "操作"
},
{
"category": "統轄",
"guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
"id": "C05.04",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(來賓/VM)Governance (guest/VM)",
"text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載",
"waf": "操作"
},
{
"category": "統轄",
"guid": "589d457a-927c-4397-9d11-02cad6aae11e",
"id": "C05.05",
"service": "AVS",
"severity": "中等",
"subcategory": "治理(來賓/VM)Governance (guest/VM)",
"text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案",
"waf": "操作"
},
{
"category": "統轄",
"guid": "ee29711b-d352-4caa-ab79-b198dab81932",
"id": "C06.01",
"service": "AVS",
"severity": "中等",
"subcategory": "合規",
"text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視",
"waf": "安全"
},
{
"category": "統轄",
"guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
"id": "C06.02",
"service": "AVS",
"severity": "中等",
"subcategory": "合規",
"text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud",
"waf": "安全"
},
{
"category": "統轄",
"guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
"id": "C06.03",
"service": "AVS",
"severity": "高",
"subcategory": "合規",
"text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留",
"waf": "安全"
},
{
"category": "統轄",
"guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
"id": "C06.04",
"service": "AVS",
"severity": "高",
"subcategory": "合規",
"text": "數據處理影響(服務提供者/服務消費者模型)是否清晰且有據可查",
"waf": "安全"
},
{
"category": "統轄",
"guid": "547c1747-dc56-4068-a714-435cd19dd244",
"id": "C06.05",
"service": "AVS",
"severity": "中等",
"subcategory": "合規",
"text": "僅當出於合規性原因需要時,才考慮將CMK(客戶管理的密鑰)用於 vSAN。",
"waf": "安全"
},
{
"category": "管理",
"guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
"id": "D01.01",
"service": "AVS",
"severity": "高",
"subcategory": "監測",
"text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解",
"waf": "操作"
},
{
"category": "管理",
"guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
"id": "D01.02",
"service": "AVS",
"severity": "高",
"subcategory": "監測",
"text": "針對 Azure VMware 解決方案性能(CPU >80%、平均記憶體 >80%、vSAN >70%)自動警報的關鍵閾值創建警告警報",
"waf": "操作"
},
{
"category": "管理",
"guid": "9659e396-80e7-4828-ac93-5657d02bff45",
"id": "D01.03",
"service": "AVS",
"severity": "高",
"subcategory": "監測",
"text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%,因為這是 VMware 的支援閾值",
"waf": "操作"
},
{
"category": "管理",
"guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
"id": "D01.04",
"service": "AVS",
"severity": "高",
"subcategory": "監測",
"text": "確保為 Azure 服務運行狀況警報和通知配置警報",
"waf": "操作"
},
{
"category": "管理",
"guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
"id": "D01.05",
"service": "AVS",
"severity": "中等",
"subcategory": "監測",
"text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理",
"waf": "操作"
},
{
"category": "管理",
"guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
"id": "D01.06",
"service": "AVS",
"severity": "低",
"subcategory": "監測",
"text": "如果需要深入瞭解 VMware vSphere:解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights?",
"waf": "操作"
},
{
"category": "管理",
"guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
"id": "D02.01",
"service": "AVS",
"severity": "高",
"subcategory": "操作",
"text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略,因為此策略應用厚置備",
"waf": "操作"
},
{
"category": "管理",
"guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
"id": "D02.02",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "確保未將 vSphere 內容庫放置在 vSAN 上,因為 vSAN 是有限的資源",
"waf": "操作"
},
{
"category": "管理",
"guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
"id": "D02.03",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中",
"waf": "操作"
},
{
"category": "管理",
"guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
"id": "D02.04",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "確保使用 Azure Arc for Servers 進行混合管理,確保在 Azure VMware 解決方案上運行的工作負載(Arc for Azure VMware 解決方案處於預覽狀態)",
"waf": "操作"
},
{
"category": "管理",
"guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
"id": "D02.05",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載",
"waf": "操作"
},
{
"category": "管理",
"guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
"id": "D02.06",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載",
"waf": "操作"
},
{
"category": "管理",
"guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
"id": "D02.07",
"service": "AVS",
"severity": "中等",
"subcategory": "操作",
"text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載",
"waf": "操作"
},
{
"category": "管理",
"guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
"id": "D03.01",
"service": "AVS",
"severity": "中等",
"subcategory": "安全",
"text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud",
"waf": "安全"
},
{
"category": "BCDR的",
"guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
"id": "E01.01",
"service": "AVS",
"severity": "中等",
"subcategory": "備份",
"text": "確保備份不存儲在 vSAN 上,因為 vSAN 是有限的資源",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
"id": "E02.01",
"service": "AVS",
"severity": "中等",
"subcategory": "災難恢復",
"text": "是否考慮了所有災難恢復解決方案,並決定了最適合您業務的解決方案?[SRM/JetStream/Zerto/Veeam/...]",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
"id": "E02.02",
"service": "AVS",
"severity": "中等",
"subcategory": "災難恢復",
"text": "當災難恢復技術是本機 Azure IaaS 時,請使用 Azure Site Recovery",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
"id": "E02.03",
"service": "AVS",
"severity": "高",
"subcategory": "災難恢復",
"text": "將自動恢復計劃與任一災難解決方案結合使用,盡可能避免手動任務",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "8255461e-2aee-4345-9aec-8339248b262d",
"id": "E02.04",
"service": "AVS",
"severity": "中等",
"subcategory": "災難恢復",
"text": "使用地緣政治區域對作為輔助災難恢復環境",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
"id": "E02.05",
"service": "AVS",
"severity": "高",
"subcategory": "災難恢復",
"text": "在區域之間使用 2 個不同的地址空間,例如:10.0.0.0/16 和 192.168.0.0/16 用於不同的區域",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
"id": "E02.06",
"service": "AVS",
"severity": "中等",
"subcategory": "災難恢復",
"text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接,還是通過網路虛擬設備完成路由?",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
"id": "E03.01",
"service": "AVS",
"severity": "中等",
"subcategory": "業務連續性",
"text": "是否考慮了所有備份解決方案,並決定了最適合您業務的解決方案?[ MABS/CommVault/Metallic.io/Veeam/ .",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
"id": "E03.02",
"service": "AVS",
"severity": "中等",
"subcategory": "業務連續性",
"text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
"id": "E03.03",
"service": "AVS",
"severity": "中等",
"subcategory": "業務連續性",
"text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案",
"waf": "可靠性"
},
{
"category": "BCDR的",
"guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
"id": "E03.04",
"service": "AVS",
"severity": "低",
"subcategory": "業務連續性",
"text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程?",
"waf": "可靠性"
},
{
"category": "平臺自動化",
"guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
"id": "F01.01",
"service": "AVS",
"severity": "低",
"subcategory": "部署策略",
"text": "對於手動部署,必須記錄所有配置和部署",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
"id": "F01.02",
"service": "AVS",
"severity": "低",
"subcategory": "部署策略",
"text": "對於手動部署,請考慮實施資源鎖,以防止對 Azure VMware 解決方案私有雲執行意外操作",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
"id": "F02.01",
"service": "AVS",
"severity": "低",
"subcategory": "自動部署",
"text": "對於自動化部署,請部署最小的私有雲並根據需要進行擴展",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
"id": "F02.02",
"service": "AVS",
"severity": "低",
"subcategory": "自動部署",
"text": "對於自動部署,請在開始部署之前請求或預留配額",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
"id": "F02.03",
"service": "AVS",
"severity": "低",
"subcategory": "自動部署",
"text": "對於自動部署,請確保通過自動化或 Azure Policy 創建相關資源鎖,以便進行適當的治理",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
"id": "F03.01",
"service": "AVS",
"severity": "低",
"subcategory": "自動連接",
"text": "為 ExR 授權金鑰實現人類可理解的名稱,以便輕鬆識別密鑰的目的/用途",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "255461e2-aee3-4553-afc8-339248b262d6",
"id": "F03.02",
"service": "AVS",
"severity": "低",
"subcategory": "自動連接",
"text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時,請使用 Key Vault 儲存機密和授權密鑰",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
"id": "F03.03",
"service": "AVS",
"severity": "低",
"subcategory": "自動連接",
"text": "當需要在 Azure VMware 解決方案中/上部署許多資源時,定義用於在 IaC 中序列化操作的資源依賴項,因為 Azure VMware 解決方案僅支援有限數量的並行操作。",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
"id": "F03.04",
"service": "AVS",
"severity": "低",
"subcategory": "自動連接",
"text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時,請使用 Azure 門戶 API 而不是 NSX-Manager API",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
"id": "F04.01",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "打算使用自動橫向擴展時,請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額",
"waf": "性能"
},
{
"category": "平臺自動化",
"guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
"id": "F04.02",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "打算使用自動縮減時,請務必在執行此操作之前考慮存儲策略要求",
"waf": "性能"
},
{
"category": "平臺自動化",
"guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
"id": "F04.03",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "擴展操作始終需要在單個 SDDC 中序列化,因為一次只能執行一個擴展操作(即使使用多個集群也是如此)",
"waf": "性能"
},
{
"category": "平臺自動化",
"guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
"id": "F04.04",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作(支援與否)",
"waf": "性能"
},
{
"category": "平臺自動化",
"guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
"id": "F04.05",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制",
"waf": "性能"
},
{
"category": "平臺自動化",
"guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
"id": "F04.06",
"service": "AVS",
"severity": "中等",
"subcategory": "自動秤",
"text": "實施監控規則以監控自動擴展操作,並監控成功和失敗,以啟用適當的(自動化)回應",
"waf": "操作"
},
{
"category": "遷移",
"guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
"id": "G01.01",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "AVS",
"severity": "高",
"subcategory": "建築",
"text": "使用 MON 時,請注意同時配置的 VM 的限制(HCX 的 MON 限制 [400 - 標準,1000 - 大型設備])",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "可靠性"
},
{
"category": "遷移",
"guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
"id": "G01.02",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "AVS",
"severity": "高",
"subcategory": "建築",
"text": "使用 MON 時,不能在超過 100 個網路分機上啟用 MON",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "可靠性"
},
{
"category": "遷移",
"guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
"id": "G02.01",
"service": "AVS",
"severity": "中等",
"subcategory": "聯網",
"text": "如果使用 VPN 連接進行遷移,請相應地調整 MTU 大小。",
"waf": "性能"
},
{
"category": "遷移",
"guid": "e614658d-d457-4e92-9139-b821102cad6e",
"id": "G02.02",
"service": "AVS",
"severity": "中等",
"subcategory": "聯網",
"text": "對於連接到 Azure(500Mbps 或更低)的低連接區域,請考慮部署 HCX WAN 優化設備",
"waf": "性能"
},
{
"category": "遷移",
"guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
"id": "G03,01",
"service": "AVS",
"severity": "中等",
"subcategory": "過程",
"text": "確保從本地裝置啟動遷移,而不是從雲端裝置啟動遷移(不要執行反向遷移)",
"waf": "可靠性"
},
{
"category": "數據存儲",
"guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",