Merge pull request #313455 from mbender-ms/zero-trust-remove-includes

Networking | Maintenance | Replace INCLUDE directives with markdown links in zero-trust-network-security.md

Author: JillGrant615

articles/networking/security/includes/25535.md

@@ -13,11 +13,13 @@ ms.custom: Network-Secure-Recommendation
 # userimpact: Low
 # implementationcost: Medium
 ---
-Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. However, using Azure Firewall alone for outbound connectivity can lead to SNAT port exhaustion under high-traffic workloads. The recommendation is to deploy NAT Gateway alongside Azure Firewall — Azure Firewall handles outbound security inspection (threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement), while NAT Gateway provides scalable SNAT ports for the actual outbound traffic flow. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services, with NAT Gateway configured on the AzureFirewallSubnet to handle outbound translation. Without this combined approach, organizations risk either uninspected outbound traffic or SNAT port exhaustion leading to dropped connections. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services. This routing ensures that outbound security inspection — including threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement — is applied to all outbound flows. Without this routing, outbound traffic bypasses the firewall entirely, leaving the environment exposed to data exfiltration and command-and-control communication. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+
+For high-traffic workloads that risk SNAT port exhaustion, consider deploying [Azure NAT Gateway alongside Azure Firewall](/azure/firewall/integrate-with-nat-gateway). NAT Gateway provides up to 64,512 SNAT ports per public IP address compared to Azure Firewall's 2,496 SNAT ports per public IP per instance. When associated with the AzureFirewallSubnet, NAT Gateway handles outbound translation while Azure Firewall continues to inspect traffic — with no double NAT.
 
 **Remediation action**
 
-- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#configure-routing)
+- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route)
 - [Manage route tables and routes](/azure/virtual-network/manage-route-table)
 - [Control App Service outbound traffic with Azure Firewall](/azure/app-service/network-secure-outbound-traffic-azure-firewall)
 - [Azure Firewall security rules](/azure/firewall/rule-processing)

articles/networking/security/includes/25537.md

@@ -15,6 +15,9 @@ ms.custom: Network-Secure-Recommendation
 ---
 Azure Firewall Threat Intelligence-based filtering alerts and denies traffic from and to known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When enabled, Azure Firewall evaluates traffic against threat intelligence rules before applying network address translation (NAT), network, or application rules. This check verifies that Threat Intelligence is enabled in "Alert and deny" mode in the Azure Firewall policy. Without this feature enabled, the environment remains exposed to known malicious IPs, domains, and URLs, creating risk of compromise or data exfiltration.
 
+> [!NOTE]
+> "Alert and deny" mode requires Azure Firewall Standard or Premium. Azure Firewall Basic supports alert mode only. For a full feature comparison, see [Choose the right Azure Firewall SKU](/azure/firewall/choose-firewall-sku).
+
 **Remediation action**
 
 - [Azure Firewall threat intelligence configuration](/azure/firewall-manager/threat-intelligence-settings)

articles/networking/security/includes/26885.md

@@ -17,7 +17,7 @@ Azure DDoS Protection provides advanced mitigation capabilities for public IP ad
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/diagnostic-logging)
+- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
 - [Configure diagnostic settings for Azure resources](/azure/azure-monitor/essentials/diagnostic-settings)
 - [Azure DDoS Protection overview](/azure/ddos-protection/ddos-protection-overview)
 - [Create and configure Azure DDoS Network Protection using the Azure portal](/azure/ddos-protection/manage-ddos-protection)

articles/networking/security/includes/26886.md

@@ -17,7 +17,5 @@ When Azure DDoS Protection is enabled for public IP addresses, diagnostic loggin
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection diagnostic logging](/azure/ddos-protection/diagnostic-logging)
-- [View and configure DDoS diagnostic logs](/azure/ddos-protection/diagnostic-logging#configure-ddos-diagnostic-logs)
-- [Azure DDoS Protection monitoring and logging](/azure/ddos-protection/monitor-ddos-protection)
-- [View and analyze DDoS logs](/azure/ddos-protection/monitor-ddos-protection)
+- [View and configure DDoS Protection diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
+- [Monitor Azure DDoS Protection](/azure/ddos-protection/monitor-ddos-protection)

articles/networking/security/index.yml

@@ -25,6 +25,10 @@ highlightedContent:
       itemType: overview # controls the icon image and super-title text 
       url: /azure/networking/security/network-security
     # Card
+    - title: Azure network security Zero Trust recommendations
+      itemType: concept
+      url: /azure/networking/security/zero-trust-network-security
+    # Card
     - title: Azure best practices for network security
       itemType: concept
       url: ../../security/fundamentals/network-best-practices.md

articles/networking/security/zero-trust-application-gateway-waf.md

@@ -17,16 +17,37 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Application Gateway WAF is enabled in prevention mode](includes/25541.md)] | High | Low | Low |
-| [!INCLUDE [Request body inspection is enabled in Application Gateway WAF](includes/26879.md)] | High | Low | Low |
-| [!INCLUDE [Default rule set is enabled in Application Gateway WAF](includes/26881.md)] | High | Low | Low |
-| [!INCLUDE [Bot protection rule set is enabled and assigned in Application Gateway WAF](includes/26882.md)] | High | Low | Low |
-| [!INCLUDE [HTTP DDoS protection rule set is enabled in Application Gateway WAF](includes/27015.md)] | High | Low | Low |
-| [!INCLUDE [Rate limiting is enabled in Application Gateway WAF](includes/27016.md)] | High | Low | Medium |
-| [!INCLUDE [JavaScript challenge is enabled in Application Gateway WAF](includes/27017.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Application Gateway WAF](includes/26888.md)] | High | Low | Low |
+### Application Gateway WAF is enabled in prevention mode
+
+[!INCLUDE [Application Gateway WAF is enabled in prevention mode](includes/25541.md)]
+
+### Request body inspection is enabled in Application Gateway WAF
+
+[!INCLUDE [Request body inspection is enabled in Application Gateway WAF](includes/26879.md)]
+
+### Default rule set is enabled in Application Gateway WAF
+
+[!INCLUDE [Default rule set is enabled in Application Gateway WAF](includes/26881.md)]
+
+### Bot protection rule set is enabled and assigned in Application Gateway WAF
+
+[!INCLUDE [Bot protection rule set is enabled and assigned in Application Gateway WAF](includes/26882.md)]
+
+### HTTP DDoS protection rule set is enabled in Application Gateway WAF
+
+[!INCLUDE [HTTP DDoS protection rule set is enabled in Application Gateway WAF](includes/27015.md)]
+
+### Rate limiting is enabled in Application Gateway WAF
+
+[!INCLUDE [Rate limiting is enabled in Application Gateway WAF](includes/27016.md)]
+
+### JavaScript challenge is enabled in Application Gateway WAF
+
+[!INCLUDE [JavaScript challenge is enabled in Application Gateway WAF](includes/27017.md)]
+
+### Diagnostic logging is enabled in Application Gateway WAF
+
+[!INCLUDE [Diagnostic logging is enabled in Application Gateway WAF](includes/26888.md)]
 
 ## Related content
 

articles/networking/security/zero-trust-azure-firewall.md

@@ -17,13 +17,25 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Outbound traffic from VNet-integrated workloads is routed through Azure Firewall](includes/25535.md)] | High | Low | Medium |
-| [!INCLUDE [Threat intelligence is enabled in deny mode on Azure Firewall](includes/25537.md)] | High | Low | Low |
-| [!INCLUDE [IDPS inspection is enabled in deny mode on Azure Firewall](includes/25539.md)] | High | Low | Low |
-| [!INCLUDE [Inspection of outbound TLS traffic is enabled on Azure Firewall](includes/25550.md)] | High | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Azure Firewall](includes/26887.md)] | High | Low | Low |
+### Outbound traffic from VNet-integrated workloads is routed through Azure Firewall
+
+[!INCLUDE [Outbound traffic from VNet-integrated workloads is routed through Azure Firewall](includes/25535.md)]
+
+### Threat intelligence is enabled in deny mode on Azure Firewall
+
+[!INCLUDE [Threat intelligence is enabled in deny mode on Azure Firewall](includes/25537.md)]
+
+### IDPS inspection is enabled in deny mode on Azure Firewall
+
+[!INCLUDE [IDPS inspection is enabled in deny mode on Azure Firewall](includes/25539.md)]
+
+### Inspection of outbound TLS traffic is enabled on Azure Firewall
+
+[!INCLUDE [Inspection of outbound TLS traffic is enabled on Azure Firewall](includes/25550.md)]
+
+### Diagnostic logging is enabled in Azure Firewall
+
+[!INCLUDE [Diagnostic logging is enabled in Azure Firewall](includes/26887.md)]
 
 ## Related content
 

articles/networking/security/zero-trust-ddos-protection.md

@@ -17,11 +17,17 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [DDoS Protection is enabled for all public IP addresses in VNets](includes/25533.md)] | High | Low | Low |
-| [!INCLUDE [Metrics are enabled for DDoS-protected public IPs](includes/26885.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled for DDoS-protected public IPs](includes/26886.md)] | Medium | Low | Low |
+### DDoS Protection is enabled for all public IP addresses in VNets
+
+[!INCLUDE [DDoS Protection is enabled for all public IP addresses in VNets](includes/25533.md)]
+
+### Metrics are enabled for DDoS-protected public IPs
+
+[!INCLUDE [Metrics are enabled for DDoS-protected public IPs](includes/26885.md)]
+
+### Diagnostic logging is enabled for DDoS-protected public IPs
+
+[!INCLUDE [Diagnostic logging is enabled for DDoS-protected public IPs](includes/26886.md)]
 
 ## Related content
 

articles/networking/security/zero-trust-front-door-waf.md

@@ -17,16 +17,37 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Azure Front Door WAF is enabled in prevention mode](includes/25543.md)] | High | Low | Low |
-| [!INCLUDE [Request body inspection is enabled in Azure Front Door WAF](includes/26880.md)] | High | Low | Low |
-| [!INCLUDE [Default rule set is assigned in Azure Front Door WAF](includes/26883.md)] | High | Low | Low |
-| [!INCLUDE [Bot protection rule set is enabled and assigned in Azure Front Door WAF](includes/26884.md)] | High | Low | Low |
-| [!INCLUDE [Rate limiting is enabled in Azure Front Door WAF](includes/27018.md)] | High | Low | Medium |
-| [!INCLUDE [JavaScript challenge is enabled in Azure Front Door WAF](includes/27019.md)] | Medium | Low | Low |
-| [!INCLUDE [CAPTCHA challenge is enabled in Azure Front Door WAF](includes/27020.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Azure Front Door WAF](includes/26889.md)] | High | Low | Low |
+### Azure Front Door WAF is enabled in prevention mode
+
+[!INCLUDE [Azure Front Door WAF is enabled in prevention mode](includes/25543.md)]
+
+### Request body inspection is enabled in Azure Front Door WAF
+
+[!INCLUDE [Request body inspection is enabled in Azure Front Door WAF](includes/26880.md)]
+
+### Default rule set is assigned in Azure Front Door WAF
+
+[!INCLUDE [Default rule set is assigned in Azure Front Door WAF](includes/26883.md)]
+
+### Bot protection rule set is enabled and assigned in Azure Front Door WAF
+
+[!INCLUDE [Bot protection rule set is enabled and assigned in Azure Front Door WAF](includes/26884.md)]
+
+### Rate limiting is enabled in Azure Front Door WAF
+
+[!INCLUDE [Rate limiting is enabled in Azure Front Door WAF](includes/27018.md)]
+
+### JavaScript challenge is enabled in Azure Front Door WAF
+
+[!INCLUDE [JavaScript challenge is enabled in Azure Front Door WAF](includes/27019.md)]
+
+### CAPTCHA challenge is enabled in Azure Front Door WAF
+
+[!INCLUDE [CAPTCHA challenge is enabled in Azure Front Door WAF](includes/27020.md)]
+
+### Diagnostic logging is enabled in Azure Front Door WAF
+
+[!INCLUDE [Diagnostic logging is enabled in Azure Front Door WAF](includes/26889.md)]
 
 ## Related content