Enable Autoscale Notifications

Risk Level: Medium (should be achieved)

Rule ID: VirtualMachines-034

Ensure that email or webhook-based alert notifications are enabled for your Microsoft Azure virtual machine scale sets in order to get notified for successful or failed autoscale actions. Email notifications can be sent to any valid email address that you configure. Administrators and co-administrators of the Azure subscription where the virtual machine scale set is running will also be notified. Webhooks allow you to route the autoscale alert notifications to other systems for post-processing or custom notifications. For example, routing notifications to services that can handle an incoming web request to send SMS messages or notify a DevOps team using chat or messaging apps.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Performance
efficiency

Autoscale alert notifications can increase the reliability and availability of the applications deployed within your Azure virtual machine scale sets by allowing you to act fast and mitigate scaling issues such as failed VM instance launches.

Note: Autoscale notifications cannot be enabled for virtual machine scale sets configured with manual scaling.

Audit

To determine if your Azure virtual machine scale sets are configured to send autoscale alert notifications, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, select Scaling to access the scaling settings available for the selected VM scale set.

07 On the Scaling configuration page, select the Notify tab, and check the autoscale notification configuration settings. If there are no settings available, instead the following message is displayed: "You can only notify when autoscale is enabled.", the selected virtual machine scale set is not using autoscaling. If the autoscale notification settings are displayed but there are no email administrator addresses or webhooks configured as recipients for alert notifications, i.e.

If the autoscale notification settings are displayed but there are no email administrator addresses or webhooks configured as recipients for alert notifications

autoscale notifications are not enabled for the selected Microsoft Azure virtual machine scale set.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers:

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the ID and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--query '[*].{id:id, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

[
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachineScaleSets/cc-project5-scale-set",
    "resourceGroup": "cloud-shell-storage-westeurope"
  },
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachineScaleSets/cc-web-front-scale-set",
    "resourceGroup": "cloud-shell-storage-westeurope"
  }
]

05 Run monitor autoscale list command (Windows/macOS/Linux) to list the ID of each autoscale configuration and its associated virtual machine scale set, available in the selected Azure resource group:

az monitor autoscale list
	--resource-group cloud-shell-storage-westeurope
	--query '[*].{targetId:targetResourceUri, id:id}'

06 The command output should return the requested identifiers. id represents the ID of the autoscale configuration and targetId represents the ID of the VM scale set associated with the autoscale configuration:

[
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-project5-scale-set-Autoscale-30",
    "targetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachineScaleSets/cc-project5-scale-set"
  },
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-web-front-scale-set-Autoscale-55",
    "targetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachineScaleSets/cc-web-front-scale-set"
  }
]

07 Run monitor autoscale show command (Windows/macOS/Linux) using the ID of the autoscale configuration associated with the VM scale set that you want to examine as identifier parameter, to describe the autoscale notification configuration available for the selected scale set:

az monitor autoscale show
	--ids /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-project5-scale-set-Autoscale-30
	--query '{enabled:enabled, notifications:notifications}'

08 The command output should return the autoscale notification configuration object:

{
  "enabled": false,
  "notifications": [
    {
      "email": {
       "customEmails": [],
       "sendToSubscriptionAdministrator": false,
       "sendToSubscriptionCoAdministrators": false
     },
     "webhooks": []
   }
  ]
}

If monitor autoscale show command output returns enabled is false or an empty array, i.e. [], the selected virtual machine scale set is not using autoscaling. If the command output returns enabled is true and a configuration object but there are no email administrator addresses or webhooks configured as recipients for alert notifications, as shown in the output example above, autoscale notifications are not enabled for the selected Microsoft Azure virtual machine scale set.

09 Repeat step no. 7 and 8 for each Azure virtual machine scale set deployed in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable autoscale alert notifications for your Azure virtual machine scale sets, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the virtual machine scale sets deployed in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to reconfigure.

06 In the navigation panel, under Settings, select Scaling to access the scaling settings available for the selected VM scale set.

07 On the Scaling configuration page, select the Notify tab, and perform the following operations:

If you want your Azure subscription administrators to be notified for autoscale actions via email, select Email administrators and Email co-administrators checkboxes, and/or add one or more email addresses, separated by semicolons, in the Additional administrator email(s) box.
If you want to use webhooks to route autoscale alert notifications to other systems or notification channels, provide your webhook URI in the Webhook configuration box. The webhook URI must be a valid HTTP or HTTPS endpoint.
Click Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 to enable autoscale notifications for other Azure virtual machine scale set created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 (Optional) If this is the first time when you are configurating this autoscale. Run monitor autoscale update command (Windows/macOS/Linux) using the ID of the autoscale configuration associated with the virtual machine scale set that you want to configure as identifier parameter, to initial notifications for the selected VM scale set:

az monitor autoscale update
	--ids /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-project5-scale-set-Autoscale-30
	--add notifications '{"email": {"customEmails":[]},"webhooks":[]}'
	--query 'notifications'

02 The command output should return the autoscale notification configuration metadata:

[
  {
    "email": {
      "customEmails": [],
      "sendToSubscriptionAdministrator": false,
      "sendToSubscriptionCoAdministrators": false
    },
    "webhooks": []
  }
]

03 Run monitor autoscale update command (Windows/macOS/Linux) using the ID of the autoscale configuration associated with the virtual machine scale set that you want to reconfigure as identifier parameter, to enable autoscale email notifications for the selected VM scale set. In the following command request example, the Azure subscription administrators and the person managing "admin@cloudconformity.com" email address will be notified for autoscale actions via email:

az monitor autoscale update
	--ids /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-project5-scale-set-Autoscale-30
	--email-administrator true
	--email-coadministrators true
	--add-action email admin@cloudconformity.com
	--query 'notifications'

04 The command output should return the autoscale notification configuration metadata:

[
  {
    "email": {
      "customEmails": [
        "admin@cloudconformity.com"
      ],
      "sendToSubscriptionAdministrator": true,
      "sendToSubscriptionCoAdministrators": true
    },
    "webhooks": []
  }
]

05 Run monitor autoscale update command (Windows/macOS/Linux) using the ID of the autoscale configuration associated with the virtual machine scale set that you want to reconfigure as identifier parameter, to enable autoscale alert notifications via webhooks for the selected VM scale set. The webhook used can authenticate with token-based authentication, where you save the webhook URI with a token ID as a query parameter. In the following command example, the webhook URI used is "https://webhook.cloudconformity.com?token=abcd1234". The webhook URI must be a valid HTTP or HTTPS endpoint:

az monitor autoscale update
	--ids /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/autoscalesettings/cc-project5-scale-set-Autoscale-30
	--add-action webhook "https://webhook.cloudconformity.com?token=abcd1234"
	--query 'notifications'

06 The command output should return the autoscale notification configuration metadata:

[
  {
    "email": {
      "customEmails": [],
      "sendToSubscriptionAdministrator": false,
      "sendToSubscriptionCoAdministrators": false
    },
    "webhooks": [
      {
        "properties": {},
        "serviceUri": "https://webhook.cloudconformity.com?token=abcd1234"
      }
    ]
  }
]

07 Repeat steps no. 3 – 6 to enable autoscale notifications for other Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
What are virtual machine scale sets?
Best practices for Autoscale
Use autoscale actions to send email and webhook alert notifications in Azure Monitor

Azure Command Line Interface (CLI) Documentation
az account
az vmss
az monitor autoscale
az monitor autoscale show
az monitor autoscale update

Publication date Jul 9, 2020

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related VirtualMachines rules