Support tradeoff decisions

[erjosito]

Today the checklists include binary recommendations, for example "configure egress traffic through a NGFW". However, design decisions are often a tradeoff between different aspects of a design, and following a certain recommendation might increase one, but decrease another one. For example, injecting an AzFW increases security, but impacts negatively the cost and complexity of the design. Hence, depending on the main goal of a certain architecture, the right answer to the recommendation might vary: for security-optimized designs the recommendation would be one, but for cost-optimized designs the recommendation would be another.

In order to support this, two things would need to be modified:

• The answers to the recommendations should allow for more variation. Not only "Fulfilled", but something like "Yes, doing this already" and "ACK'ed but thanks, no thanks"
• Recommendations should include a "weight" that give an idea of which design pillars (Security, Cost, Complexity, Resiliency) are the impacting when implemented and when not implemented

Having this in the checklists would allow to do reviews for security-optimized designs, resiliency-optimized designs or cost-optimized designs, for example.

[Kaspanitz]

Could a dropdown option, to be used at the start of a review, to optimize for security, reliability or minimize cost be added? (Cost would obviously not be minimized if security and reliability optimization are selected, we can add a note to explain this, just in case it is not clear). We do see use cases for different designs, e.g. cost optimized for PoC implementations, sandboxes, etc. Relating recommendations to the WAF pillars would also be useful to give customers a quick understanding for which pillar (or pillars) a recommendation falls into. Weighted recommendations could be tricky as they can be subjective. Firewall standard vs premium, ExpressRoute multiple circuits vs S2S backup, etc choices may facilitate a balanced option. Alternatively, or perhaps in addition, a column for security and reliability required per recommendation may help customers to fine-tune a review/design as they can for example start with a cost minimized approach, and then select options on a line by line basis as required to improve security and reliability.

[erjosito]

Now that we have published 1.1, at the top right of the checklist there are some green bar indicators. The AKS checklist has some additional metadata, that indicates whether a specific recommendation has a positive or negative impact in certain areas:

• Resiliency (ha)
• Cost (cost)
• Simplicity (simple)
• Security (security)
• Scalability (scale)

Fulfilling a recommendation that only has a positive impact on one dimension will not alter the indicators, but fulfilling (or not) a recommendation that has a positive impact on one dimension and a negative impact on another one will alter the indicators. For example, if I pick all of the security recommendations, some of them have a negative impact on simplicity, so my simplicity score will go down.

@Kaspanitz as you said the weighted recommendations can be subjective, so the scores are just +1/-1, and the indicators are non-numerical:

[pranayaswain]

Hi @erjosito , The checklist json files, and workbook json template files are generated by any script that is present in the repo.

[erjosito]

Hey @pranayaswain : it depends:

• The single-source of truth are the English JSON files from the checklists (*.en.json). Those are manually generated and reviewed by Microsoft engineers.
• The rest of the languages (*.es.json, *.pt.json, etc) are generated automatically translating the *.en.json files.
• The Azure Monitor Workbooks are also generated automatically from the *.en.json files.

[pranayaswain]

Hi @erjosito , Could you please help me to proceed further on this. I got the result query and imported it to excel. Then how I could get the dashboard. Please find the below screenshot attached.

How we could get the result in this https://stgazchecklistprd.z16.web.core.windows.net/LZ

[erjosito]

Hey @pranayaswain I am very confused. Does this have anything to do with the title of this issue Support tradeoff decisions?

When you say "I got the result query", what do you mean exactly? The JSON containing the output of the ARG queries? Assuming it is the case, in Excel you can import it with the "Import Graph Result" button. In the web frontend there is a button at the top as well with "Import Graph Query Result".

[pranayaswain]

Hi @erjosito , No this is not releated to this titile. Thank you for your replies.