Check that Container App environments are zone redundant Azure#2791 (Azure#2805)

* Check that Container App environments are zone redundant Azure#2791

* Fix

Author: BernieWhite

docs/CHANGELOG-v1.md

@@ -38,6 +38,8 @@ What's changed since v1.35.1:
   - Container App:
     - Check that Container Apps have a minimum number of replicas by @BernieWhite.
       [#2790](https://github.com/Azure/PSRule.Rules.Azure/issues/2790)
+    - Check that Container App environments are zone redundant by @BernieWhite.
+      [#2791](https://github.com/Azure/PSRule.Rules.Azure/issues/2791)
 - General improvements:
   - Quality updates to documentation by @lukemurraynz.
     [#2789](https://github.com/Azure/PSRule.Rules.Azure/pull/2789)

docs/en/rules/Azure.ContainerApp.AvailabilityZone.md

@@ -0,0 +1,107 @@
+---
+reviewed: 2024-04-07
+severity: Important
+pillar: Reliability
+category: RE:05 Regions and availability zones
+resource: Container App
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.AvailabilityZone/
+---
+
+# Use zone redundant Container App environments
+
+## SYNOPSIS
+
+Use Container Apps environments that are zone redundant to improve reliability.
+
+## DESCRIPTION
+
+Container App environments can be configured to be zone redundant in regions that support availability zones.
+When configured, replicas of each Container App are spread across availability zones automatically.
+A Container App must have multiple replicas to be zone redundant.
+
+For example, if a Container App has three replicas, each replica is placed in a different availability zone.
+
+## RECOMMENDATION
+
+Consider configuring Container App environments to be zone redundant to improve reliability.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy Container App environments that pass this rule:
+
+- Set the `properties.zoneRedundant` property to `true`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.App/managedEnvironments",
+  "apiVersion": "2023-05-01",
+  "name": "[parameters('envName')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "appLogsConfiguration": {
+      "destination": "log-analytics",
+      "logAnalyticsConfiguration": {
+        "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').customerId]",
+        "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').primarySharedKey]"
+      }
+    },
+    "zoneRedundant": true,
+    "workloadProfiles": [
+      {
+        "name": "Consumption",
+        "workloadProfileType": "Consumption"
+      }
+    ],
+    "vnetConfiguration": {
+      "infrastructureSubnetId": "[parameters('subnetId')]",
+      "internal": true
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy Container App environments that pass this rule:
+
+- Set the `properties.zoneRedundant` property to `true`.
+
+For example:
+
+```bicep
+resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
+  name: envName
+  location: location
+  properties: {
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: workspace.properties.customerId
+        sharedKey: workspace.listKeys().primarySharedKey
+      }
+    }
+    zoneRedundant: true
+    workloadProfiles: [
+      {
+        name: 'Consumption'
+        workloadProfileType: 'Consumption'
+      }
+    ]
+    vnetConfiguration: {
+      infrastructureSubnetId: subnetId
+      internal: true
+    }
+  }
+}
+```
+
+## LINKS
+
+- [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones)
+- [Reliability in Azure Container Apps](https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps#availability-zone-support)
+- [What are availability zones?](https://learn.microsoft.com/azure/reliability/availability-zones-overview)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps)

docs/en/rules/Azure.ContainerApp.DisableAffinity.md

@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-10-01
+reviewed: 2024-04-07
 severity: Important
 pillar: Performance Efficiency
-category: Design for performance efficiency
+category: PE:05 Scaling and partitioning
 resource: Container App
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.DisableAffinity/
 ---
@@ -50,7 +50,10 @@ For example:
     "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
     "template": {
       "revisionSuffix": "[parameters('revision')]",
-      "containers": "[variables('containers')]"
+      "containers": "[variables('containers')]",
+      "scale": {
+        "minReplicas": 2
+      }
     },
     "configuration": {
       "ingress": {
@@ -87,6 +90,9 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
     template: {
       revisionSuffix: revision
       containers: containers
+      scale: {
+        minReplicas: 2
+      }
     }
     configuration: {
       ingress: {
@@ -106,7 +112,6 @@ This rule may generate false positive results for stateful applications.
 
 ## LINKS
 
-- [Avoid a requirement to store server-side session state](https://learn.microsoft.com/azure/well-architected/scalability/performance-efficiency#implementation)
-- [Session affinity](https://learn.microsoft.com/azure/well-architected/scalability/design-efficiency#improve-performance-with-session-affinity)
+- [PE:05 Scaling and partitioning](https://learn.microsoft.com/azure/well-architected/performance-efficiency/scale-partition)
 - [Session Affinity in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/sticky-sessions)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ingressstickysessions)

docs/en/rules/Azure.ContainerApp.ExternalIngress.md

@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-04-07
 severity: Important
 pillar: Security
-category: Network security and containment
+category: SE:06 Network controls
 resource: Container App
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.ExternalIngress/
 ---
@@ -14,14 +15,15 @@ Limit inbound communication for Container Apps is limited to callers within the
 
 ## DESCRIPTION
 
-Container apps allows you to expose your container app to the Internet, your VNET, or to other container apps within the same environment by enabling ingress.
+Inbound access to a Container App is configured by enabling ingress.
+Container Apps can be configured to allow external ingress or not.
+External ingress permits communication outside the Container App environment from a private VNET or the Internet.
+To restrict communication to a private VNET your Container App Environment must be:
 
-When inbound access to the app is required, configure the ingress.
-Applications that do batch processing or consume events may not require ingress to be enabled.
-
-When external ingress is configured, communication outside the container apps environment is enabled from your private VNET or the Internet.
-To restrict communication to a private VNET your Container App Environment must be deployed on a custom VNET with an Internal load balancer.
+- Configured with a custom VNET.
+- Configured with an internal load balancer.
 
+Applications that do batch processing or consume events may not require ingress to be enabled.
 If communication outside your Container Apps Environment is not required, disable external ingress.
 
 ## RECOMMENDATION
@@ -41,25 +43,34 @@ For example:
 ```json
 {
   "type": "Microsoft.App/containerApps",
-  "apiVersion": "2022-10-01",
+  "apiVersion": "2023-05-01",
   "name": "[parameters('appName')]",
   "location": "[parameters('location')]",
   "identity": {
-    "type": "SystemAssigned",
-    "userAssignedIdentities": {}
+    "type": "SystemAssigned"
   },
   "properties": {
-        "environmentId": "[parameters('environmentId')]",
-        "template": {
-            "revisionSuffix": "",
-            "containers": "[variables('containers')]"
-        },
-        "configuration": {
-            "ingress": {
-                "external": false
-            }
+    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
+    "template": {
+      "revisionSuffix": "[parameters('revision')]",
+      "containers": "[variables('containers')]",
+      "scale": {
+        "minReplicas": 2
+      }
+    },
+    "configuration": {
+      "ingress": {
+        "external": false,
+        "allowInsecure": false,
+        "stickySessions": {
+          "affinity": "none"
         }
+      }
     }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
+  ]
 }
 ```
 
@@ -72,22 +83,28 @@ To deploy Container Apps that pass this rule:
 For example:
 
 ```bicep
-resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
+resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
   name: appName
   location: location
   identity: {
     type: 'SystemAssigned'
-    userAssignedIdentities: {}
   }
-   properties: {
-    environmentId: environmentId
+  properties: {
+    environmentId: containerEnv.id
     template: {
-      revisionSuffix: ''
+      revisionSuffix: revision
       containers: containers
+      scale: {
+        minReplicas: 2
+      }
     }
     configuration: {
       ingress: {
         external: false
+        allowInsecure: false
+        stickySessions: {
+          affinity: 'none'
+        }
       }
     }
   }
@@ -103,6 +120,7 @@ If you don't need external ingress, enable this rule by:
 
 ## LINKS
 
-- [Networking architecture in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/networking)
-- [Set up HTTPS or TCP ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress)
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking)
+- [Ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress-overview)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ingress)

docs/en/rules/Azure.ContainerApp.Insecure.md

@@ -48,7 +48,10 @@ For example:
     "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
     "template": {
       "revisionSuffix": "[parameters('revision')]",
-      "containers": "[variables('containers')]"
+      "containers": "[variables('containers')]",
+      "scale": {
+        "minReplicas": 2
+      }
     },
     "configuration": {
       "ingress": {
@@ -85,6 +88,9 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
     template: {
       revisionSuffix: revision
       containers: containers
+      scale: {
+        minReplicas: 2
+      }
     }
     configuration: {
       ingress: {

docs/en/rules/Azure.ContainerApp.ManagedIdentity.md

@@ -54,7 +54,10 @@ For example:
     "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
     "template": {
       "revisionSuffix": "[parameters('revision')]",
-      "containers": "[variables('containers')]"
+      "containers": "[variables('containers')]",
+      "scale": {
+        "minReplicas": 2
+      }
     },
     "configuration": {
       "ingress": {
@@ -92,6 +95,9 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
     template: {
       revisionSuffix: revision
       containers: containers
+      scale: {
+        minReplicas: 2
+      }
     }
     configuration: {
       ingress: {