Enable and Configure Health Monitoring

Risk Level: Medium (should be achieved)

Rule ID: VirtualMachines-033

Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Performance
efficiency

By monitoring application health for your Microsoft Azure virtual machine scale sets, you can increase the reliability and availability of the applications deployed within these scale sets.

Audit

To determine if Monitor Application Health feature is enabled for your Azure virtual machine scale sets, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Virtual machine scale set for Value, then choose Apply to list the Azure virtual machine scale sets available in the selected subscription.

05 Click on the name (link) of the virtual machine scale set that you want to examine.

06 In the resource navigation panel, under Operations, select Health and repair to access the health monitoring configuration settings available for the selected VM scale set.

07 On the Health and repair page, verify the Enable application health monitoring setting checkbox. If the Enable application health monitoring checkbox is unchecked, the application health monitoring is not enabled for the selected Microsoft Azure virtual machine scale set.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run vmss list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-project5-scale-set   cloud-shell-storage-westeurope
cc-frontend-scale-set   cloud-shell-storage-westeurope

06 Run vmss show command (Windows/macOS/Linux) with the name of the Azure virtual machine scale set that you want to examine as identifier parameter and custom output filters, to list the name of each virtual machine extension installed for the selected scale set:

az vmss show
	--name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query 'virtualMachineProfile.extensionProfile.extensions[*].name'

07 The command output should return the requested VM extension names:

[
	"AzureNetworkWatcherExtension",
	"CustomScript"
]

Check the extension names in the list returned by the vmss show command output. If the list does not contain the following Application Health extension: "ApplicationHealthWindows" or "ApplicationHealthLinux" (when the extension is enabled programmatically) or "HealthExtension" (when the extension is enabled using Azure Portal), the application health monitoring (powered by Application Health extension) is not enabled for the selected Microsoft Azure virtual machine scale set.

08 Repeat steps no. 6 and 7 for each Azure virtual machine scale set deployed in the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure application health monitoring for your Microsoft Azure virtual machine scale sets using Application Health extension, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the virtual machine scale set that you want to configure.

06 In the resource navigation panel, under Operations, select Health and repair to access the health monitoring configuration settings available for the selected VM scale set.

07 On the Health and repair configuration page, perform the following actions:

Check the Enable application health monitoring checkbox to enable application health monitoring for the selected virtual machine scale set.
Choose Application health extension from the Application health monitor dropdown list to monitor application health using the Application Health VM extension.
From the Protocol dropdown list, choose the network protocol used by your application to report health. Select the appropriate protocol based on your application requirements. Protocol options are HTTP, HTTPS or TCP.
For Port number, type the network port used to monitor application health, e.g., 80.
For Path, provide the application endpoint path used to report application health, e.g., /.
Choose Save to apply the configuration changes and install the Application Health extension.

08 Repeat steps no. 5 – 7 to enable application health monitoring for other Azure virtual machine scale set available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run vmss extension set command (Windows/macOS/Linux) with the name of the Azure virtual machine scale set that you want to configure as the identifier parameter, to enable application health monitoring for the selected VM scale set by installing and configuring the Application Health extension. The following command example enables application health monitoring for a Windows VM scale set named "cc-project5-scale-set", using HTTP port 80 with the endpoint path set to "/" (i.e., the health check URL to probe) to monitor application health. For Linux VM scale sets, use ApplicationHealthLinux for the --name parameter:

az vmss extension set
	--name ApplicationHealthWindows
	--publisher Microsoft.ManagedServices
	--version 2.0
	--vmss-name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope
	--settings '{"port": 80, "protocol": "http", "requestPath": "/"}'
	--query 'virtualMachineProfile.extensionProfile.extensions[*]'

05 The command output should return the information available for the extensions installed on the configured scale set (including the Application Health extension):

[
	{
		"autoUpgradeMinorVersion": true,
		"enableAutomaticUpgrade": null,
		"forceUpdateTag": null,
		"id": null,
		"name": "ApplicationHealthWindows",
		"protectedSettings": null,
		"protectedSettingsFromKeyVault": null,
		"provisionAfterExtensions": null,
		"provisioningState": null,
		"publisher": "Microsoft.ManagedServices",
		"settings": {
		"port": 80,
		"protocol": "http",
		"requestPath": "/"
		},
		"suppressFailures": null,
		"type": null,
		"typeHandlerVersion": "2.0",
		"typePropertiesType": "ApplicationHealthWindows"
	},
	{
		"autoUpgradeMinorVersion": true,
		"forceUpdateTag": null,
		"id": null,
		"name": "AzureNetworkWatcherExtension",
		"protectedSettings": null,
		"provisionAfterExtensions": null,
		"provisioningState": null,
		"publisher": "Microsoft.Azure.NetworkWatcher",
		"settings": {},
		"type": null,
		"type1": "NetworkWatcherAgentLinux",
		"typeHandlerVersion": "1.4"
	}
]

06 Repeat steps no. 4 and 5 to enable application health monitoring for other Azure virtual machine scale set deployed in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
What are virtual machine scale sets?
Using Application Health extension with virtual machine scale sets

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az vmss list
az vmss show
az vmss extension set

Publication date Jul 9, 2020

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related VirtualMachines rules