- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Disable Public IP Address Assignment for VMSS Instances
Ensure that instances running within your Microsoft Azure virtual machine scale set (VMSS) are not configured with public IP addresses. Assigning public IP addresses to individual VMSS instances increases attack surface, making it harder to manage and secure the environment.
Directly assigning public IPs to instances within a virtual machine scale set (VMSS) may pose security risks due to several factors, including an increased attack surface, potential vulnerabilities in individual instances, limited network segmentation, and challenges in management and scalability. Each public IP can serve as an entry point for attackers, making it easier for them to exploit weaknesses or move laterally within the network. To optimize costs and enhance security, Azure VMSS instances typically don't require dedicated public IP addresses. Instead, consider implementing a load balancer with a single public IP address to manage external traffic.
Audit
To determine if your Microsoft Azure VMSS instances are configured with public IP addresses, perform the following operations:
Using Azure Portal
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Virtual machine scale set, and choose Apply to list only the Azure virtual machine scale sets available in the selected subscription.
05 Click on the name (link) of the virtual machine (VM) scale set that you want to examine.
06 In the navigation panel, choose Instances to access the individual instances deployed within the selected VM scale set.
07 Click on the name (link) of the virtual machine (VM) instance that you want to examine.
08 In the resource navigation panel, under Networking, choose Network settings to access the network settings available for the selected instance.
09 In the Essentials section, check the Public IP address attribute value to determine if the selected instance is using a public IP address. If the Public IP address attribute value is a public IP address, the selected virtual machine (VM) instance is configured with public a IP address.
10 Repeat steps no. 7 – 9 for each individual instance deployed within the selected VM scale set. If one or more instances in the selected Azure virtual machine scale set are configured with public IPs, the scale set is exposing its instances to the public Internet.
11 Repeat steps no. 5 – 10 for each Azure virtual machine scale set available in the selected subscription.
12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd", ]
03 Run vmss list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:
az vmss list --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd --output table --query '[*].{name:name, resourceGroup:resourceGroup}'
04 The command output should return the requested virtual machine scale set identifiers:
Name ResourceGroup --------------------- ------------------------------ cc-project5-scale-set cloud-shell-storage-westeurope cc-backend-scale-set cloud-shell-storage-westeurope
05 Run vmss list-instance-public-ips command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to examine as the identifier parameter, to describe the public IP addresses assigned to instances within the selected VM scale set:
az vmss list-instance-public-ips --name cc-project5-scale-set --resource-group cloud-shell-storage-westeurope --query '[*].ipAddress'
06 The command output should return the requested public IP addresses:
[ "xxx.xxx.xxx.xxx", "yyy.yyy.yyy.yyy" ]
If the vmss list-instance-public-ips command output returns an empty array, i.e. [], there are no public IP addresses assigned to VMSS instances. If the command output returns one or more public IP addresses, as shown in the example above, the instances running within the selected Azure virtual machine scale set (VMSS) are exposed to the public Internet.
07 Repeat steps no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.
08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To ensure that VM instances deployed in your virtual machine scale set (VMSS) are not configured with public IP addresses, you have to re-create your VMSS with a different network configuration by performing the following operations:
Using Azure Portal
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Virtual machine scale set, and choose Apply to list only the Azure virtual machine scale sets available in the selected subscription.
05 Click on the name (link) of the virtual machine scale set that you want to re-create (i.e. source VM scale set) and gather all the relevant configuration information available for the selected scale set.
06 Navigate to Virtual machine scale sets blade available at https://portal.azure.com/#browse/Microsoft.Compute%2FvirtualMachineScaleSets.
07 Choose Create and perform the following actions to deploy your new virtual machine scale set:
- For Basics, provide the following information:
- For Project details, use the Subscription and Resource group controls to choose the Azure subscription and the resource group where you want to deploy your new virtual machine scale set.
- For Scale set details, provide a unique name for the new scale set, select the appropriate region (must match the region of the source VM scale set), and select at least two Availability Zones (AZs) from the Availability zone dropdown list.
- For Orchestration, choose the appropriate orchestration mode and the security type for your new scale set.
- For Scaling, choose the correct scaling mode (must match the scaling mode of the source VM scale set).
- For Instance details, configure the size of the virtual machines (VMs) deployed to the scale set and choose the base operating system or application for these VMs, based on the configuration information collected at step no. 5.
- For Administrator account, choose whether the administrator account will use a username and a password or SSH keys for authentication.
- Choose Next : Spot > to continue the setup process.
- (Optional) For Spot, you can configure the Azure Spot instance settings in order to get significant workload savings. Your applications should be able to tolerate interruptions or infrastructure loss when Microsoft Azure needs the capacity elsewhere. Choose Next : Disks > to continue.
- For Disks, enable the Azure disk storage encryption and configure the scale set disk options. Choose Next : Networking > to continue the setup.
- For Networking, perform the following actions:
- For Network interface, click on the Edit button (pencil icon) of the provisioned network interface (NIC), choose Disabled under Public IP address to disable the public IP address assignment, and select OK to save the changes. You can also customize the network interface settings at this point to match the source VM scale set NIC configuration.
- For Load balancing, choose Azure load balancer to place the VM instances in the backend pool behind a public load balancer. For Select a load balancer, select an existing load balancer from the load balancers list or choose Create a load balancer to create a new Azure load balancer. The type of the selected load balancer must be Public. To allow traffic from your load balancer, you must update the appropriate port configuration on your network security group associated with your network interface (NIC). Choose Next : Management > to continue.
- For Management, you can configure the monitoring and management options for your VM scale set instances. Choose Next : Health > to continue the setup process.
- For Health, you can enable health monitoring on an application endpoint in order to update the status of the application on that VM instance. This status is required to enable platform managed upgrades such as automatic OS updates and VM instance upgrades. Choose Next : Advanced > to continue the setup.
- For Advanced, add additional configuration, agents, scripts, or applications through VM extensions or cloud-init (must match the configuration of the source VM scale set). Choose Next : Tags > to continue the setup process.
- For Tags, create any required tag sets, according to the source scale set tagging scheme. Choose Next : Review + create > to continue.
- For Review + create, wait for the validation results. Once the review is done and the validation has passed, choose Create to create your new virtual machine (VM) scale set.
08 Migrate any application data from the source virtual machine scale set to the destination Azure virtual machine scale set.
09 To remove the non-compliant scale set from your Azure cloud account in order to eliminate unnecessary costs, navigate back to the Virtual machine scale sets blade, select the VM scale set that you want to remove, and choose Delete.
10 On the Delete Resources panel, enter delete to confirm deletion, and choose Delete. Select Delete for confirmation.
11 Repeat steps no. 5 – 10 for each Azure virtual machine scale set that you want to re-create, available within the selected subscription.
12 Repeat steps no. 3 – 11 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run vmss show command (Windows/macOS/Linux) with the name of the virtual machine (VM) scale set that you want to re-create as the identifier parameter, to describe all the configuration information available for the selected VM scale set:
az vmss show --name cc-project5-scale-set --resource-group cloud-shell-storage-westeurope
02 The command output should return the requested information:
{ "location": "westeurope", "name": "cc-project5-scale-set", "overprovision": true, "platformFaultDomainCount": 5, "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "singlePlacementGroup": false, "sku": { "capacity": 2, "name": "Standard_DS1_v2", "tier": "Standard" }, "type": "Microsoft.Compute/virtualMachineScaleSets", "virtualMachineProfile": { "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "https://abcdabcd.blob.core.windows.net/" } } ... "storageProfile": { "imageReference": { "offer": "UbuntuServer", "publisher": "Canonical", "sku": "Ubuntu2204", "version": "latest" }, "osDisk": { "caching": "ReadWrite", "createOption": "FromImage", "diskSizeGb": 30, "managedDisk": { "diskEncryptionSet": null, "storageAccountType": "Premium_LRS" } } } }, "zones": [ "1", "2" ] }
03 Run vmss create command (Windows/macOS/Linux) with the configuration information returned at the previous step, as input for the vmss create command parameters, to create a new Azure virtual machine scale set with a public load balancer, specified by the --load-balancer parameter:
az vmss create --name cc-project5-new-scale-set --resource-group cloud-shell-storage-westeurope --image Ubuntu2204 --vm-sku Standard_DS1_v2 --instance-count 2 --os-disk-size-gb 30 --upgrade-policy-mode automatic --admin-username azureuser --generate-ssh-keys --zones 1 2 --orchestration-mode Uniform --public-ip-address "" --load-balancer cc-vmss-load-balancer
04 The command output should return the configuration information available for the new VM scale set:
{ "vmss": { "doNotRunExtensionsOnOverprovisionedVMs": false, "orchestrationMode": "Uniform", "overprovision": true, "platformFaultDomainCount": 1, "provisioningState": "Succeeded", "virtualMachineProfile": { "securityProfile": { "securityType": "TrustedLaunch", "uefiSettings": { "secureBootEnabled": true, "vTpmEnabled": true } }, ... "storageProfile": { "diskControllerType": "SCSI", "imageReference": { "offer": "0001-com-ubuntu-server-jammy", "publisher": "Canonical", "sku": "22_04-lts-gen2", "version": "latest" } }, "timeCreated": "2024-08-18T16:00:40.3325600+00:00" } } }
05 Migrate any application data from the source virtual machine scale set to the destination Azure virtual machine scale set.
06 To remove the non-compliant VM scale set from your Azure cloud account in order to eliminate unnecessary costs, run vmss delete command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to delete as the identifier parameter (the command does not produce an output):
az vmss delete --name cc-project5-scale-set --resource-group cloud-shell-storage-westeurope
07 Repeat steps no. 1 – 6 for each Azure virtual machine scale set that you want to re-create, deployed in the selected subscription.
08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- What are Virtual Machine Scale Sets?
- Networking for Azure Virtual Machine Scale Sets
- Guidance for Virtual Machine Scale Sets with Azure Load Balancer
- Azure Command Line Interface (CLI) Documentation
- az account list
- az vmss list-instance-public-ips
- az vmss list
- az vmss show
- az vmss create
- az vmss delete