Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Instance Termination Notifications for Virtual Machine Scale Sets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-032

Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Once the Instance Termination Notifications feature is enabled, virtual machine scale set instances don't need to wait for a specified timeout to expire before the instance is deleted. After receiving a "Terminate" event notification, the VM instance can choose to be deleted at any time before the termination timeout expires.


Audit

To determine if instance termination notifications are enabled for your Azure virtual machine scale sets, perform the following actions:

Note: Verifying Instance Termination Notifications feature status for your virtual machines scale sets using Azure Portal is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-production-scale-set   cloud-shell-storage-westeurope
cc-backend-scale-set      cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to describe the Instance Termination Notifications feature status, available for the selected VM scale set:

az vmss show
	--name cc-production-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query '{"TerminateNotificationProfileStatus": virtualMachineProfile.scheduledEventsProfile.terminateNotificationProfile.enable}'

06 The command output should return the requested feature configuration status:

{
  "TerminateNotificationProfileStatus": null
}

If the "TerminateNotificationProfileStatus" property value is not set to true, the Instance Termination Notifications feature is not enabled for the selected Microsoft Azure virtual machine scale set.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable VM instance termination notifications for your Microsoft Azure virtual machine scale sets, perform the following actions:

Note: Enabling instance termination notifications for your virtual machines scale sets using Azure Portal is not currently supported.

Using Azure CLI

01 Run vmss update command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to reconfigure as identifier parameter (see Audit section to identify the right resource), to enable instance termination notifications for the selected Azure virtual machine scale set. The following command request example enables instance termination notifications on an existing scale set named "cc-production-scale-set", and sets a 15-minute timeout delay for the "Terminate" events using the --terminate-notification-time parameter:

az vmss update
	--name cc-production-scale-set
	--resource-group cloud-shell-storage-westeurope
	--enable-terminate-notification true
	--terminate-notification-time 15
	--query 'virtualMachineProfile.scheduledEventsProfile.terminateNotificationProfile'

02 The command output should return the Instance Termination Notifications feature configuration:

{
  "enable": true,
  "notBeforeTimeout": "PT15M"
}

03 Repeat step no. 1 and 2 to enable instance termination notifications for other Azure virtual machine scale sets deployed in the selected subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 26, 2020