Enable Accelerated Networking for Virtual Machines

Risk Level: Medium (should be achieved)

Rule ID: VirtualMachines-023

Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Performance
efficiency

Without accelerated networking, all network traffic in and out of the virtual machine must traverse the host and the virtual switch. The virtual switch provides all policy enforcement, such as network security groups, Access Control Lists (ACLs), isolation, and other network virtualized services. But with accelerated networking, network traffic arrives at the virtual machine's network interface (NIC) and then it is forwarded to the VM. All network policies that the virtual switch applies are now offloaded and implemented at the hardware level and this reduces the overall latency. Applying the policy to the hardware enables the NIC to forward network traffic directly to the virtual machine (VM), bypassing the host and the virtual switch, while maintaining the policy enforcement that was applied to the host. The benefits of accelerated networking have a real impact when communicating across Azure Virtual Networks (VNets) or connecting to on-premises, as this feature provides low latency and high throughput.

Note: Accelerated networking is supported only on virtual machine instances with 4 or more vCPUs. Supported series are: D/Dsv3, E/Esv3, Fsv2, Lsv2, Ms/Mms and Ms/Mmsv2.

Audit

To determine if your Azure virtual machines (VMs) are configured with accelerated networking, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the virtual machines (VMs) launched in the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected Azure VM.

07 On the Networking page, within the Networking Interface section, check the Accelerated networking configuration attribute value. If the attribute value is set to Disabled, the Accelerated Networking feature is not enabled for the selected Microsoft Azure virtual machine.

08 Repeat steps no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned within the current Azure subscription:

az vm list
	--query '[*].id'

02 The command output should return the requested virtual machine IDs:

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-app-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter, to describe the ID of the Azure network interface (NIC) attached to the selected VM:

az vm show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-app-server"
	--query 'networkProfile.networkInterfaces[*].id'

04 The command output should return the requested Azure NIC identifier:

[
  "/subscriptions/49bdf5bc-c78d-41ea-b71e-01048129c0c2/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-project5-app-vm690"
]

05 Run network nic show command (Windows/macOS/Linux) using the ID of the network interface (NIC) returned at the previous step as identifier parameter, to expose the accelerated networking configuration status available for the verified network interface:

az network nic show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-project5-app-vm690"
	--query 'enableAcceleratedNetworking'

06 The command output should return the accelerated networking configuration status (true for enabled, false for disabled):

false

If the network nic show command output returns false, as shown in the output example above, the Accelerated Networking feature is not enabled for the selected Microsoft Azure virtual machine.

07 Repeat step no. 3 – 6 for each Azure virtual machine deployed within the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Accelerated Networking feature for your Microsoft Azure virtual machines (VMs), perform the following actions:

Note: Enabling accelerated networking for your Microsoft Azure virtual machines (VMs) using Azure Management Console is not currently supported.

Using Azure CLI

01 Run vm deallocate command (Windows/macOS/Linux) to deallocate (i.e. shutdown) the Azure virtual machine that you want to reconfigure – see Audit section part II to identify the right VM (the command does not produce an output):

az vm deallocate
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-app-server"

02 Run network nic update command (Windows/macOS/Linux) using the ID of the network interface (NIC) associated with the selected virtual machine as identifier parameter, to enable the Accelerated Networking feature for providing low latency and high throughput for the selected NIC:

az network nic update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-project5-app-vm690"
	--accelerated-networking true

03 The command output should return the metadata available for the updated network interface (NIC):

{
  "dnsSettings": {
    "appliedDnsServers": [],
    "dnsServers": [],
    "internalDnsNameLabel": null,
    "internalFqdn": null
  },
  "enableIpForwarding": false,
  "hostedWorkloads": [],
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-project5-app-vm690",
  "location": "westeurope",
  "name": "cc-project5-app-vm690",

  ...

  "enableAcceleratedNetworking": true,

  ...

  "primary": true,
  "privateEndpoint": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "tapConfigurations": [],
  "type": "Microsoft.Network/networkInterfaces",
  "virtualMachine": {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-app-server",
    "resourceGroup": "cloud-shell-storage-westeurope"
  }
}

04 Run vm start command (Windows/macOS/Linux) to restart the reconfigured Microsoft Azure virtual machine (the command does not produce an output):

az vm start
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-app-server"

05 Repeat steps no. 1 – 4 to enable accelerated networking for other Azure virtual machines available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
Create a Linux virtual machine with Accelerated Networking using Azure CLI
Create, change, or delete a network interface

Azure Command Line Interface (CLI) Documentation
az vm list
az vm show
az network nic show
az vm deallocate
az network nic update
az vm start

Publication date Mar 27, 2020

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure CLI

References

Related VirtualMachines rules