diff --git a/azure-resources/Network/expressRouteGateways/kql/17e8d380-e4b4-41a1-9b37-2e4df9fd5125.kql b/azure-resources/Network/expressRouteGateways/kql/17e8d380-e4b4-41a1-9b37-2e4df9fd5125.kql
index 614a7f9ca..2e76c2e7c 100644
--- a/azure-resources/Network/expressRouteGateways/kql/17e8d380-e4b4-41a1-9b37-2e4df9fd5125.kql
+++ b/azure-resources/Network/expressRouteGateways/kql/17e8d380-e4b4-41a1-9b37-2e4df9fd5125.kql
@@ -1 +1,28 @@
-// under-development
+// Azure Resource Graph Query
+// Find what Express Route Gateways do not have Monitoring Enabled on a Virtual Hub
+
+resources
+| where type =~ "Microsoft.Network/expressRouteGateways"
+| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+ resources
+ | where type =~ "microsoft.insights/metricalerts"
+ | mv-expand scope = properties.scopes
+ | where scope has "Microsoft.Network/expressRouteGateways"
+ | extend scope = tolower(tostring(scope))
+ | project scope
+) on $left.ergwId == $right.scope
+| where strlen(scope) == 0
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualHubs"
+ | where ['kind'] != 'RouteServer'
+ | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualWans"
+ | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "17e8d380-e4b4-41a1-9b37-2e4df9fd5125", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
+
diff --git a/azure-resources/Network/expressRouteGateways/kql/560a76a7-8f64-4ce3-ad27-d174468861a1.kql b/azure-resources/Network/expressRouteGateways/kql/560a76a7-8f64-4ce3-ad27-d174468861a1.kql
new file mode 100644
index 000000000..ba34e6567
--- /dev/null
+++ b/azure-resources/Network/expressRouteGateways/kql/560a76a7-8f64-4ce3-ad27-d174468861a1.kql
@@ -0,0 +1,19 @@
+// Azure Resource Graph Query
+// Find what Express Route Gateways have allow Non Virtual Wan Traffic enabled
+
+resources
+| where type =~ "Microsoft.Network/expressRouteGateways"
+| where properties.allowNonVirtualWanTraffic == "true"
+| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualHubs"
+ | where ['kind'] != 'RouteServer'
+ | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualWans"
+ | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "560a76a7-8f64-4ce3-ad27-d174468861a1", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
diff --git a/azure-resources/Network/expressRouteGateways/recommendations.yaml b/azure-resources/Network/expressRouteGateways/recommendations.yaml
index 853b794da..45bf917fa 100644
--- a/azure-resources/Network/expressRouteGateways/recommendations.yaml
+++ b/azure-resources/Network/expressRouteGateways/recommendations.yaml
@@ -31,3 +31,23 @@
learnMoreLink:
- name: Virtual WAN Monitoring Best Practices
url: "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#expressroute-gateway"
+
+- description: Avoid using ExpressRoute circuits for VNet to VNet communication
+ aprlGuid: 560a76a7-8f64-4ce3-ad27-d174468861a1
+ recommendationTypeId: null
+ recommendationControl: HighAvailability
+ recommendationImpact: Medium
+ recommendationResourceType: Microsoft.Network/expressRouteGateways
+ recommendationMetadataState: Active
+ longDescription: Avoid using ExpressRoute circuits for VNet to VNet communication. Use Virtual WAN to connect VNets in different regions. This feature is enabled at the ExpressRoute circuit level but reflected in the Virtual Wan resource.
+ potentialBenefits: Shortest path between VNETs. Disables hairpinning at MSEE
+ pgVerified: false
+ automationAvailable: false
+ tags: null
+ learnMoreLink:
+ - name: Enable or disable VNet to Virtual WAN traffic over ExpressRoute
+ url: "https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-expressroute-portal#enable-or-disable-vnet-to-virtual-wan-traffic-over-expressroute"
+
+ - name: Customization controls for connectivity between Virtual Networks over ExpressRoute
+ url: "https://techcommunity.microsoft.com/t5/azure-networking-blog/customisation-controls-for-connectivity-between-virtual-networks/ba-p/4147722"
+
diff --git a/azure-resources/Network/p2sVpnGateways/kql/fd43ea32-2ccf-49a8-ada4-9a78794e3ff1.kql b/azure-resources/Network/p2sVpnGateways/kql/fd43ea32-2ccf-49a8-ada4-9a78794e3ff1.kql
index 614a7f9ca..3c3f1d7ca 100644
--- a/azure-resources/Network/p2sVpnGateways/kql/fd43ea32-2ccf-49a8-ada4-9a78794e3ff1.kql
+++ b/azure-resources/Network/p2sVpnGateways/kql/fd43ea32-2ccf-49a8-ada4-9a78794e3ff1.kql
@@ -1 +1,26 @@
-// under-development
+// Azure Resource Graph Query
+// Find what Point to Site Gateways do not have Monitoring Enabled on a Virtual Hub
+resources
+| where type =~ "microsoft.network/p2svpngateways"
+| extend p2sgwId = tolower(tostring(id)), p2sgwName = name, p2sgwTags = tags, p2sgwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+ resources
+ | where type =~ "microsoft.insights/metricalerts"
+ | mv-expand scope = properties.scopes
+ | where scope has "microsoft.network/p2svpngateways"
+ | extend scope = tolower(tostring(scope))
+ | project scope
+) on $left.p2sgwId == $right.scope
+| where isnull(scope) or strlen(scope) == 0
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualHubs"
+ | where ['kind'] != 'RouteServer'
+ | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualWans"
+ | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "fd43ea32-2ccf-49a8-ada4-9a78794e3ff1", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
diff --git a/azure-resources/Network/virtualHubs/kql/0390bf34-8be5-44ee-b454-d6b8d5dd3790.kql b/azure-resources/Network/virtualHubs/kql/0390bf34-8be5-44ee-b454-d6b8d5dd3790.kql
deleted file mode 100644
index 614a7f9ca..000000000
--- a/azure-resources/Network/virtualHubs/kql/0390bf34-8be5-44ee-b454-d6b8d5dd3790.kql
+++ /dev/null
@@ -1 +0,0 @@
-// under-development
diff --git a/azure-resources/Network/virtualHubs/kql/30ec8a5e-46de-4323-87e9-a7c56b72813b.kql b/azure-resources/Network/virtualHubs/kql/30ec8a5e-46de-4323-87e9-a7c56b72813b.kql
new file mode 100644
index 000000000..cb64cc205
--- /dev/null
+++ b/azure-resources/Network/virtualHubs/kql/30ec8a5e-46de-4323-87e9-a7c56b72813b.kql
@@ -0,0 +1,24 @@
+// Azure Resource Graph Query
+// Find what virtual Hubs do not have Monitoring Enabled.
+
+resources
+| where type =~ "Microsoft.Network/virtualHubs"
+| where ['kind'] != 'RouteServer'
+| extend hubId = tolower(tostring(id)), hubName = name, hubTags = tags, hubLocation = location, vwanId = tolower(tostring(properties.virtualWan.id))
+| join kind=leftouter (
+ resources
+ | where type =~ "microsoft.insights/metricalerts"
+ | mv-expand scope = properties.scopes
+ | where scope has "Microsoft.Network/virtualHubs"
+ | where ['kind'] != 'RouteServer'
+ | extend scope = tolower(tostring(scope))
+ | project scope
+) on $left.hubId == $right.scope
+| where strlen(scope) == 0
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualWans"
+ | extend vwanId = tolower(tostring(id)), vwanName = name
+ | project vwanId, vwanName
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "30ec8a5e-46de-4323-87e9-a7c56b72813b", name, id, tags, param1=strcat("vWAN Name : ",vwanName)
diff --git a/azure-resources/Network/virtualHubs/kql/f29e56a1-6a80-4295-a663-1cce0ea2b10a.kql b/azure-resources/Network/virtualHubs/kql/f29e56a1-6a80-4295-a663-1cce0ea2b10a.kql
new file mode 100644
index 000000000..87b7fef56
--- /dev/null
+++ b/azure-resources/Network/virtualHubs/kql/f29e56a1-6a80-4295-a663-1cce0ea2b10a.kql
@@ -0,0 +1,13 @@
+// Azure Resource Graph Query
+// Find all Virtual WANs with Basic SKU. This is done at the Virtual Hub Resource Provider
+
+resources
+| where type == "microsoft.network/virtualhubs"
+| extend sku = tostring(properties.sku), virtualWanId = tostring(properties.virtualWan.id)
+| where sku == "Basic"
+| join (
+ resources
+ | where type == "microsoft.network/virtualwans"
+ | project id, name, tags
+) on $left.virtualWanId == $right.id
+| project recommendationId = "f29e56a1-6a80-4295-a663-1cce0ea2b10a", name, id, tags, param1=strcat("SKU: ", sku)
diff --git a/azure-resources/Network/virtualHubs/recommendations.yaml b/azure-resources/Network/virtualHubs/recommendations.yaml
index d75903627..fba7914cd 100644
--- a/azure-resources/Network/virtualHubs/recommendations.yaml
+++ b/azure-resources/Network/virtualHubs/recommendations.yaml
@@ -1,3 +1,19 @@
+- description: Migrate from Basic to Standard Virtual WAN
+ aprlGuid: f29e56a1-6a80-4295-a663-1cce0ea2b10a
+ recommendationTypeId: null
+ recommendationControl: ServiceUpgradeAndRetirement
+ recommendationImpact: High
+ recommendationResourceType: Microsoft.Network/virtualHubs
+ recommendationMetadataState: Active
+ longDescription: Basic SKU is not recommended for critical workloads. Standard SKU provides important features Inter-hub and VNet-to-VNet transiting through the virtual hub, ExpressRoute, VPN and Point to Site Gateways, ability to deploy Azure Firewalls and NVAs.
+ potentialBenefits: Full Mesh communication and resiliency
+ pgVerified: false
+ automationAvailable: false
+ tags: null
+ learnMoreLink:
+ - name: Upgrade a virtual WAN from Basic to Standard
+ url: "https://learn.microsoft.com/en-us/azure/virtual-wan/upgrade-virtual-wan"
+
- description: Monitor health for v-Hubs
aprlGuid: 30ec8a5e-46de-4323-87e9-a7c56b72813b
recommendationTypeId: null
diff --git a/azure-resources/Network/virtualWans/_index.md b/azure-resources/Network/virtualWans/_index.md
index c49ae68b9..c0b3e6b88 100644
--- a/azure-resources/Network/virtualWans/_index.md
+++ b/azure-resources/Network/virtualWans/_index.md
@@ -1,7 +1,7 @@
---
title: virtualWans
geekdocCollapseSection: true
-geekdocHidden: true
+geekdocHidden: false
---
{{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}
diff --git a/azure-resources/Network/vpnGateways/kql/f0d4f766-ac19-48c4-b228-4601cc038baa.kql b/azure-resources/Network/vpnGateways/kql/f0d4f766-ac19-48c4-b228-4601cc038baa.kql
index 614a7f9ca..76ee67a97 100644
--- a/azure-resources/Network/vpnGateways/kql/f0d4f766-ac19-48c4-b228-4601cc038baa.kql
+++ b/azure-resources/Network/vpnGateways/kql/f0d4f766-ac19-48c4-b228-4601cc038baa.kql
@@ -1 +1,27 @@
-// under-development
+// Azure Resource Graph Query
+// Find what VPN Gateways on Virtual WAN do not have Monitoring Enabled.
+
+resources
+| where type =~ "microsoft.network/vpngateways"
+| extend vpngwId = tolower(tostring(id)), vpngwName = name, vpngwTags = tags, vpngwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
+| join kind=leftouter (
+ resources
+ | where type =~ "microsoft.insights/metricalerts"
+ | mv-expand scope = properties.scopes
+ | where scope has "Microsoft.Network/vpnGateways"
+ | extend scope = tolower(tostring(scope))
+ | project scope
+) on $left.vpngwId == $right.scope
+| where isnull(scope) or strlen(scope) == 0
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualHubs"
+ | where ['kind'] != 'RouteServer'
+ | extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
+) on $left.vhubId == $right.vhubId
+| join kind=leftouter (
+ resources
+ | where type =~ "Microsoft.Network/virtualWans"
+ | extend vwanId = tolower(tostring(id)), vwanName = name
+) on $left.vwanId == $right.vwanId
+| project recommendationId = "f0d4f766-ac19-48c4-b228-4601cc038baa", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
diff --git a/azure-resources/Network/vpnSites/_index.md b/azure-resources/Network/vpnSites/_index.md
index 14f610950..3bce1825e 100644
--- a/azure-resources/Network/vpnSites/_index.md
+++ b/azure-resources/Network/vpnSites/_index.md
@@ -1,7 +1,7 @@
---
title: vpnSites
geekdocCollapseSection: true
-geekdocHidden: true
+geekdocHidden: false
---
{{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}
diff --git a/azure-resources/Network/vpnSites/kql/02bdbdb8-d138-4090-951c-23e45b8700f7.kql b/azure-resources/Network/vpnSites/kql/02bdbdb8-d138-4090-951c-23e45b8700f7.kql
new file mode 100644
index 000000000..62578b876
--- /dev/null
+++ b/azure-resources/Network/vpnSites/kql/02bdbdb8-d138-4090-951c-23e45b8700f7.kql
@@ -0,0 +1,16 @@
+// Azure Resource Graph Query
+// Find if Virtual Hub has less than one VPN Site Link
+
+resources
+| where type == "microsoft.network/vpnsites"
+| extend vpnSiteLinks = properties.vpnSiteLinks
+| mv-expand vpnSiteLink = vpnSiteLinks
+| extend virtualWanId = tostring(properties.virtualWan.id)
+| summarize vpnSiteLinksCount = count() by virtualWanId
+| where vpnSiteLinksCount < 2
+| join (
+ resources
+ | where type == "microsoft.network/virtualwans"
+ | project id, name, tags
+) on $left.virtualWanId == $right.id
+| project recommendationId = "02bdbdb8-d138-4090-951c-23e45b8700f7", name, id, tags, param1 = vpnSiteLinksCount
diff --git a/azure-resources/Network/vpnSites/recommendations.yaml b/azure-resources/Network/vpnSites/recommendations.yaml
new file mode 100644
index 000000000..4f4699ccc
--- /dev/null
+++ b/azure-resources/Network/vpnSites/recommendations.yaml
@@ -0,0 +1,16 @@
+- description: Configure diverse VPN Site links to different VPN concentrators on-premises.
+ aprlGuid: 02bdbdb8-d138-4090-951c-23e45b8700f7
+ recommendationTypeId: null
+ recommendationControl: DisasterRecovery
+ recommendationImpact: Medium
+ recommendationResourceType: Microsoft.Network/vpnSites
+ recommendationMetadataState: Active
+ longDescription: Deploying active-active VPN concentrators leverages the High Availability capabilities of the VPN Gateway on Virtual Hubs using a fully-meshed topology with four IPSec tunnels.
+ potentialBenefits: Fault tolerance and high availability.
+ pgVerified: false
+ automationAvailable: false
+ tags: null
+ learnMoreLink:
+ - name: vWAN VPN Gateway Disaster Recovery
+ url: "https://learn.microsoft.com/en-us/azure/virtual-wan/disaster-recovery-design#multi-link-topology"
+