WAF++ WAF++
Back to WAF++ Homepage

Controls (WAF-PERF)

The Performance Efficiency pillar is operationalized through 10 measurable controls. Each control has a unique ID in the format WAF-PERF-NNN, a severity rating, machine-readable YAML checks, and a maturity graduation.

The YAML source files are located under modules/controls/controls/WAF-PERF-*.yml and can be executed directly by the WAF++ Checker Tool.

Controls Overview

Control ID Title Severity Category

WAF-PERF-010

Compute Instance Type & Sizing Validated

High

Compute Sizing

WAF-PERF-020

Auto-Scaling Configured & Tested

High

Auto-Scaling

WAF-PERF-030

Caching Strategy Defined & Implemented

Medium

Caching

WAF-PERF-040

Database Performance Baseline & Index Strategy

High

Database Performance

WAF-PERF-050

Performance Monitoring & SLO Definition

High

Observability

WAF-PERF-060

Load & Stress Testing in CI/CD Pipeline

Medium

Load Testing

WAF-PERF-070

Network Latency & Topology Optimization

Medium

Network Performance

WAF-PERF-080

Serverless & Managed Services for Variable Load

Low

Compute Architecture

WAF-PERF-090

Storage I/O Performance & Throughput Optimization

Medium

Storage Performance

WAF-PERF-100

Performance Debt Register & Quarterly Review

Medium

Performance Governance

WAF-PERF-010 – Compute Instance Type & Sizing Validated

Severity: High | Category: Compute Sizing | Automatable: High

Intent: Instance types must be chosen based on measured utilization data, not intuition or fear of under-provisioning.

Requirement: All compute resources MUST use current instance generations. Sizing decisions MUST be backed by measured CPU/memory baselines. Over- and under-provisioned resources MUST be reviewed quarterly.

Terraform Checks (excerpt):

  • waf-perf-010.tf.aws.ec2-current-generation – No previous-generation instance types (t2, m4, c4)

  • waf-perf-010.tf.azurerm.vm-sizing-documented – Azure VMs with current size and sizing tag

  • waf-perf-010.tf.google.gce-machine-type-validated – GCP N2/C2 instead of N1 machine types

Evidence:

  • Sizing document or ADR section with measured baselines (Required)

  • Terraform configuration with current instance types (Required)

Best Practice: Compute Sizing & Instance Selection →

WAF-PERF-020 – Auto-Scaling Configured & Tested

Severity: High | Category: Auto-Scaling | Automatable: High

Intent: Static capacity is the wrong model for variable load. Auto-scaling must not only be configured, but validated under load.

Requirement: All stateless production workloads MUST have auto-scaling configured. Scaling metrics MUST be based on application behavior. Scaling configuration MUST be validated through load tests.

Terraform Checks (excerpt):

  • waf-perf-020.tf.aws.autoscaling-group-policy – ASG min >= 1, max >= 2, health check configured

  • waf-perf-020.tf.azurerm.vmss-autoscale – Azure Monitor Autoscale Settings enabled

  • waf-perf-020.tf.google.managed-instance-group-autoscaler – GCP autoscaler with policy

Evidence:

  • IaC configuration with min/max and scaling policy (Required)

  • Load test results demonstrating the scaling trigger (Required)

Best Practice: Configure Auto-Scaling →

WAF-PERF-030 – Caching Strategy Defined & Implemented

Severity: Medium | Category: Caching | Automatable: Medium

Intent: Caching without a strategy creates inconsistency. Caching without measurement creates false confidence.

Requirement: A documented caching strategy MUST exist for all read-heavy workloads. Distributed cache MUST be used for session data and high-frequency lookups. CDN MUST be configured for all public static content.

Terraform Checks (excerpt):

  • waf-perf-030.tf.aws.elasticache-cluster-configured – Automatic failover, multi-node, encryption

  • waf-perf-030.tf.azurerm.redis-cache-premium – Standard/Premium SKU, no non-SSL port, TLS 1.2

  • waf-perf-030.tf.google.memorystore-redis-ha – STANDARD_HA tier, transit encryption

Evidence:

  • Caching strategy document (Required)

  • IaC configuration for cache services and CDN (Required)

Best Practice: Implement Caching Strategy →

WAF-PERF-040 – Database Performance Baseline & Index Strategy

Severity: High | Category: Database Performance | Automatable: High

Intent: Missing indexes are the most common cause of database performance problems. Slow query logs are the most important diagnostic tool.

Requirement: Performance Insights MUST be active on all production databases. Slow query logging MUST be enabled and reviewed monthly. An index strategy MUST be documented for all high-frequency queries.

Terraform Checks (excerpt):

  • waf-perf-040.tf.aws.rds-performance-insights – Performance Insights, enhanced monitoring, CW logs

  • waf-perf-040.tf.azurerm.sql-query-insights – TLS 1.2, no public_network_access, audit policy

  • waf-perf-040.tf.google.cloudsql-insights-enabled – Query Insights, backups, deletion protection

Evidence:

  • Performance Insights or slow query log configuration (Required)

  • Index strategy document (Required)

Best Practice: Optimize Database Performance →

WAF-PERF-050 – Performance Monitoring & SLO Definition

Severity: High | Category: Observability | Automatable: Medium–High

Intent: Without SLOs there is no objective criterion for "good enough". Without error budgets there is no objective criterion for "stop, we need to stabilize".

Requirement: All production services MUST have SLOs with P95/P99 latency targets, error rate, and availability. SLIs MUST be continuously instrumented and measured. SLO burn rate alerting MUST be configured.

Terraform Checks (excerpt):

  • waf-perf-050.tf.aws.cloudwatch-latency-alarm – P99 latency alarm with actions and description

  • waf-perf-050.tf.azurerm.app-insights-availability – Application Insights with retention >= 30 days

  • waf-perf-050.tf.google.monitoring-uptime-check – Alert policy with notification channels, enabled

Evidence:

  • SLO document for all production services (Required)

  • Monitoring configuration with SLI instrumentation (Required)

Best Practice: Performance Observability & SLOs →

WAF-PERF-060 – Load & Stress Testing in CI/CD Pipeline

Severity: Medium | Category: Load Testing | Automatable: Medium

Intent: Every untested scaling configuration is an untested safety net. Performance regressions must be taken as seriously as functional bugs.

Requirement: Load tests MUST be automatically executed as a deployment gate in the CI/CD pipeline. Acceptance criteria MUST be defined before the load test. Performance regressions (>10% P99 increase) MUST be automatically detected.

Terraform Checks (excerpt):

  • waf-perf-060.tf.aws.codepipeline-performance-stage – CodePipeline with performance test stage

  • waf-perf-060.tf.azurerm.devops-pipeline-perf-gate – Azure DevOps pipeline with perf gate

  • waf-perf-060.tf.google.cloud-build-perf-step – Cloud Build trigger enabled with performance steps

Evidence:

  • Load test scripts with acceptance criteria in version control (Required)

  • CI/CD pipeline configuration with load test gate (Required)

Best Practice: Load & Stress Testing →

WAF-PERF-070 – Network Latency & Topology Optimization

Severity: Medium | Category: Network Performance | Automatable: Medium

Intent: Network latency is cumulative. Every cross-AZ hop, every internet round-trip to a cloud service, every CDN miss adds to the user response time.

Requirement: CDN MUST be configured for all public static and cacheable content. VPC endpoints MUST be used for all cloud service API access from private subnets. Cross-AZ traffic in latency-sensitive paths MUST be minimized.

Terraform Checks (excerpt):

  • waf-perf-070.tf.aws.vpc-endpoint-s3 – Gateway VPC endpoint for S3 in private subnets

  • waf-perf-070.tf.azurerm.cdn-profile-configured – Azure CDN or Front Door for public apps

  • waf-perf-070.tf.google.cloud-cdn-enabled – Cloud CDN enabled on external backend services

Evidence:

  • IaC configuration with CDN and VPC endpoints (Required)

  • Network topology diagram (Required)

Best Practice: Optimize Network Performance →

WAF-PERF-080 – Serverless & Managed Services for Variable Load

Severity: Low | Category: Compute Architecture | Automatable: Medium

Intent: Serverless architectures are often the most cost-efficient and performant solution for variable load – but only when correctly configured.

Requirement: Variable load workloads SHOULD be evaluated for serverless suitability. Lambda/functions MUST have explicitly configured memory, timeout, and concurrency. Cold start mitigation MUST be evaluated for latency-sensitive functions.

Terraform Checks (excerpt):

  • waf-perf-080.tf.aws.lambda-memory-timeout-configured – Memory >= 256MB, timeout set, reserved concurrency

  • waf-perf-080.tf.azurerm.function-app-plan-configured – Premium or Dedicated plan for production

  • waf-perf-080.tf.google.cloud-run-min-instances – Min instances > 0 for latency-sensitive services

Evidence:

  • IaC configuration with explicit memory, timeout, concurrency (Required)

  • Serverless adoption documentation (Required)

Best Practice: Auto-Scaling & Serverless →

WAF-PERF-090 – Storage I/O Performance & Throughput Optimization

Severity: Medium | Category: Storage Performance | Automatable: High

Intent: Storage I/O is the most commonly invisible bottleneck. gp2 burst exhaustion and wrong disk type are frequent causes of unexplained latency spikes.

Requirement: All new EBS volumes MUST use gp3 instead of gp2. Storage type MUST match the workload (Premium SSD for databases, HDD for archives). IOPS and throughput MUST be explicitly configured. Storage I/O alerts MUST be configured.

Terraform Checks (excerpt):

  • waf-perf-090.tf.aws.ebs-gp3-volume-type – gp3 instead of gp2; explicit IOPS and throughput

  • waf-perf-090.tf.azurerm.managed-disk-premium – Premium_LRS for database volumes

  • waf-perf-090.tf.google.persistent-disk-ssd – pd-ssd or pd-balanced instead of pd-standard

Evidence:

  • IaC configuration with explicit storage type, IOPS, throughput (Required)

  • Monitoring configuration for storage I/O alerts (Required)

WAF-PERF-100 – Performance Debt Register & Quarterly Review

Severity: Medium | Category: Performance Governance | Automatable: Low

Intent: Undocumented performance debt accumulates unnoticed. Documented performance debt can be prioritized and reduced.

Requirement: A performance debt register MUST be maintained with ID, description, impact, owner, and priority. Quarterly reviews MUST take place. Every performance incident MUST create a register entry.

Terraform Checks (excerpt):

  • waf-perf-100.tf.aws.config-performance-rules – AWS Config with performance governance rules

  • waf-perf-100.tf.azurerm.policy-performance-governance – Azure Policy with performance initiatives

  • waf-perf-100.tf.google.security-health-analytics – GCP SCC notification for performance findings

Evidence:

  • Performance debt register (Required)

  • Quarterly review documentation (Required)