waf-config.json
|
{ "version": "1.0.0", "description": "Azure Well-Architected Framework (WAF) Assessment Scoring Configuration", "lastUpdated": "2026-03-09", "pillars": { "reliability": { "name": "Reliability", "order": 1, "description": "Ability of a system to recover from failures and continue to function", "assessment": "How well your Landing Zone supports workload availability and resilience", "checks": [ { "id": "rel-001", "name": "Network Redundancy", "description": "Multiple VNets with peering supports workload resilience", "condition": "hasMultipleVNets == true AND hasVNetPeering == true", "weight": 1, "passMessage": "✓ Network redundancy through multiple VNets with peering supports workload resilience", "failMessage": "✗ Limited network architecture - consider implementing hub-spoke for better availability" }, { "id": "rel-002", "name": "Resource Protection", "description": "Resource locks protect critical infrastructure from accidental deletion", "condition": "hasLocks == true", "weight": 1, "passMessage": "✓ Resource locks protect critical infrastructure from accidental deletion", "failMessage": "✗ No resource locks - critical resources are at risk of accidental deletion" }, { "id": "rel-003", "name": "Hybrid Connectivity", "description": "VPN or ExpressRoute provides redundant access paths", "condition": "hasVpnGateway == true OR hasExpressRoute == true", "weight": 1, "passMessage": "✓ Hybrid connectivity (VPN/ExpressRoute) provides redundant access paths", "failMessage": "⚠ No hybrid connectivity detected - may impact disaster recovery capabilities" } ] }, "security": { "name": "Security", "order": 2, "description": "Protection against security threats and data breaches", "assessment": "Evaluation of security controls and threat protection measures", "checks": [ { "id": "sec-001", "name": "Policy Enforcement", "description": "Strong policy governance for security compliance", "condition": "hasPolicyAssignments == true", "weight": 1, "passMessage": "✓ Strong policy enforcement with {policyAssignmentCount} policy assignments", "failMessage": "✗ Weak policy governance - implement Azure Policy for security compliance" }, { "id": "sec-002", "name": "Access Control", "description": "Comprehensive RBAC implementation", "condition": "hasRBAC == true", "weight": 1, "passMessage": "✓ Comprehensive RBAC with {roleAssignmentCount} role assignments", "failMessage": "✗ Limited access control - expand RBAC implementation" }, { "id": "sec-003", "name": "Network Segmentation", "description": "Network Security Groups for network-level protection", "condition": "hasNSGs == true", "weight": 1, "passMessage": "✓ Network segmentation with {nsgCount} NSGs", "failMessage": "✗ No NSGs detected - implement network-level security" }, { "id": "sec-004", "name": "Firewall Protection", "description": "Azure Firewall for centralized security filtering", "condition": "hasFirewall == true", "weight": 1, "passMessage": "✓ Azure Firewall deployed for centralized security filtering", "failMessage": "⚠ No Azure Firewall - consider deploying for egress traffic control" } ] }, "costOptimization": { "name": "Cost Optimization", "order": 3, "description": "Managing costs while maximizing cloud value", "assessment": "Cost management practices and financial governance", "checks": [ { "id": "cost-001", "name": "Budget Management", "description": "Cost controls through budget configuration", "condition": "hasBudgets == true", "weight": 1, "passMessage": "✓ Cost management with {budgetCount} budgets configured", "failMessage": "✗ Insufficient cost controls - implement budgets for all subscriptions" }, { "id": "cost-002", "name": "Cost Tracking", "description": "Resource tagging for cost allocation", "condition": "hasTags == true", "weight": 1, "passMessage": "✓ Resource tagging enables cost tracking and chargeback", "failMessage": "✗ Limited tagging - implement mandatory tags for cost allocation" }, { "id": "cost-003", "name": "SKU Controls", "description": "Policy enforcement to prevent expensive deployments", "condition": "hasPolicies == true", "weight": 1, "passMessage": "✓ Policies can prevent deployment of expensive resource SKUs", "failMessage": "⚠ No policy enforcement - consider policies for SKU restrictions" } ] }, "operationalExcellence": { "name": "Operational Excellence", "order": 4, "description": "Operations processes that keep systems running in production", "assessment": "Organizational and governance structure for operations", "checks": [ { "id": "ops-001", "name": "Management Hierarchy", "description": "Organized governance through management groups", "condition": "hasMgHierarchy == true", "weight": 1, "passMessage": "✓ Management group hierarchy ({mgCount} groups) enables organized governance", "failMessage": "✗ Flat structure - implement management group hierarchy" }, { "id": "ops-002", "name": "Subscription Strategy", "description": "Multiple subscriptions for workload isolation", "condition": "hasMultiSub == true", "weight": 1, "passMessage": "✓ Multiple subscriptions support workload isolation and scale", "failMessage": "⚠ Limited subscription strategy - consider subscription democratization" }, { "id": "ops-003", "name": "Monitoring & Logging", "description": "Diagnostic settings for observability", "condition": "hasDiagnostics == true", "weight": 1, "passMessage": "✓ Diagnostic settings enable monitoring and logging", "failMessage": "⚠ Limited observability - implement diagnostic settings" } ] }, "performanceEfficiency": { "name": "Performance Efficiency", "order": 5, "description": "Ability to scale resources to meet demand efficiently", "assessment": "Network and resource scalability capabilities", "checks": [ { "id": "perf-001", "name": "Scalable Network", "description": "Hub-spoke topology for efficient connectivity at scale", "condition": "hasVNetPeering == true AND hasMultipleVNets == true", "weight": 1, "passMessage": "✓ Hub-spoke network topology enables efficient connectivity at scale", "failMessage": "✗ Network architecture may not scale efficiently" }, { "id": "perf-002", "name": "High-Performance Connectivity", "description": "ExpressRoute for enterprise connectivity", "condition": "hasExpressRoute == true", "weight": 1, "passMessage": "✓ ExpressRoute provides high-performance hybrid connectivity", "failMessage": "⚠ No ExpressRoute - VPN may limit bandwidth for workloads" }, { "id": "perf-003", "name": "Deployment Automation", "description": "Policy automation reduces overhead", "condition": "hasPolicies == true", "weight": 1, "passMessage": "✓ Policy automation reduces deployment overhead", "failMessage": "⚠ Manual governance may slow deployment velocity" } ] } }, "thresholds": { "excellent": { "min": 80, "color": [16, 185, 129], "label": "Excellent" }, "good": { "min": 60, "color": [59, 130, 246], "label": "Good" }, "fair": { "min": 40, "color": [245, 158, 11], "label": "Fair" }, "poor": { "min": 0, "color": [239, 68, 68], "label": "Needs Improvement" } }, "notes": [ "This configuration defines the Well-Architected Framework assessment for Azure Landing Zones.", "Each pillar has checks that evaluate specific aspects of your environment.", "Scores are calculated as a percentage of passed checks per pillar.", "The overall WAF score is the average of all five pillar scores.", "You can adjust weights, conditions, and messages to match your organization's WAF interpretation." ] } |