Skip to content

Commit

Permalink
feat: Updated Azure.APIM.AvailabilityZone (Azure#2874)
Browse files Browse the repository at this point in the history
* feat: Updated Azure.APIM.AvailabilityZone

* feat: Updated with feedback from review
  • Loading branch information
BenjaminEngeset authored May 21, 2024
1 parent b65fb70 commit 00e1ca9
Show file tree
Hide file tree
Showing 5 changed files with 129 additions and 107 deletions.
9 changes: 9 additions & 0 deletions docs/CHANGELOG-v1.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
[#2846](https://github.com/Azure/PSRule.Rules.Azure/issues/2846)
- Check that database accounts have public network access disabled by @BenjaminEngeset.
[#2702](https://github.com/Azure/PSRule.Rules.Azure/issues/2702)
- Updated rules:
- API Management:
- **Important change**: Updated `Azure.APIM.AvailabilityZone` to improve accuracy with non-premium SKUs by @BenjaminEngeset.
[#2788](https://github.com/Azure/PSRule.Rules.Azure/issues/2788)
- Removed the `If` Premium SKU.
- Added check for Premium SKU.
- Updated tests.
- Updated rule doc.
- Bumped rule set to `2024_06`.

## v1.37.0-B0009 (pre-release)

Expand Down
49 changes: 31 additions & 18 deletions docs/en/rules/Azure.APIM.AvailabilityZone.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,37 @@ resource: API Management
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.AvailabilityZone/
---

# API management services should use Availability zones in supported regions
# API management instances should use availability zones in supported regions

## SYNOPSIS

API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
API Management instances should use availability zones in supported regions for high availability.

## DESCRIPTION

API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region.
With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.
API Management supports using availability zones to provide zone redundency for key components.
Zone redundancy improves resiliency and high availability of the service by deploying scale units across data centers in physically separated zones.

## RECOMMENDATION
The following are required to deploy a zone redundant configuration:

Consider using availability zones for API management services deployed with Premium SKU.
- API Management is deployed with the Premium SKU.
- At least two scale units must be deployed in separate availbility zones.

## NOTES
Zone redundancy has a different configuration for the primary and additional regions:

This rule applies when analyzing resources deployed to Azure using *pre-flight* and *in-flight* data.
- In the primary region, all service components are replicated across zones (gateway, management plane, and developer portal).
- In additional regions, *only* the gateway is replicated across zones.
As the management plane/developer portal service components are only deployed to the primary region.

This rule fails when `"zones"` is `null`, `[]` or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.
## RECOMMENDATION

Configure `AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST` to set additional availability zones that need to be supported which are not in the existing [providers](https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/providers/) for namespace `Microsoft.ApiManagement` and resource type `services`.

```yaml
# YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
configuration:
AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []
```
Consider using at least two (2) scale units and availability zones to improve resiliency of API Management instances to zone failures.

## EXAMPLES

### Configure with Azure template

To set availability zones for a API management service
To set availability zones for a API Management instance:

- Set `zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `sku.capacity`.
- Set `properties.additionalLocations[*].zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `properties.additionalLocations[*].sku.capacity`.
Expand Down Expand Up @@ -109,7 +106,7 @@ For example:

### Configure with Bicep

To set availability zones for a API management service
To set availability zones for a API Management instance:

- Set `zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `sku.capacity`.
- Set `properties.additionalLocations[*].zones` to a minimum of two zones from `["1", "2", "3"]`, ensuring the number of zones match `properties.additionalLocations[*].sku.capacity`.
Expand Down Expand Up @@ -173,6 +170,22 @@ resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2
}
```

## NOTES

This rule applies when analyzing resources deployed to Azure using *pre-flight* and *in-flight* data.

This rule fails when `"zones"` is `null`, `[]` or less than two zones when API Management instance is deployed with Premium SKU and there are supported availability zones for the given region.

Configure `AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST` to set additional availability zones that need to be supported which are not in the existing [providers](https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/providers/) for namespace `Microsoft.ApiManagement` and resource type `services`.

```yaml
# YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
configuration:
AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []
```
For developer environments, suppressing the rule might make sense as enabling zone redundancy for an API Management instance requries the `Premium` SKU currently.

## LINKS

- [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones)
Expand Down
10 changes: 8 additions & 2 deletions src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,14 @@ Rule 'Azure.APIM.CertificateExpiry' -Ref 'AZR-000051' -Type 'Microsoft.ApiManage
}
} -Configure @{ Azure_MinimumCertificateLifetime = 30 }

# Synopsis: API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -If { IsPremiumAPIM } -Tag @{ release = 'GA'; ruleSet = '2021_12'; 'Azure.WAF/pillar' = 'Reliability'; } {
# Synopsis: API Management instances should use availability zones in supported regions for high availability.
Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
if ($TargetObject.sku.name -ne 'Premium') {
return $Assert.HasFieldValue($TargetObject, 'sku.name', 'Premium') # Availability zones are only supported for the Premium SKU.
}

$Assert.HasFieldValue($TargetObject, 'sku.name', 'Premium')

$apiManagementServiceProvider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.ApiManagement', 'service');

$configurationZoneMappings = $Configuration.AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST;
Expand Down
Loading

0 comments on commit 00e1ca9

Please sign in to comment.