Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Public IP Address Assignment for Virtual Machine Scale Sets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Microsoft Azure virtual machine scale sets are not configured with public IP addresses. Assigning public IP addresses to VM scale sets increases attack surface, making it harder to manage and secure the environment. It's generally recommended to use load balancers or other methods to provide external access without directly exposing individual VMs.

Security

By preventing public IP assignment to Microsoft Azure virtual machine scale sets, you significantly reduce the risk of cyberattacks by limiting direct Internet exposure. This enhances the overall security and privacy of your Azure virtual machines.


Audit

To determine if your Microsoft Azure VM scale sets are configured to use public IP addresses, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine scale set, and choose Apply to list only the Azure virtual machine scale sets available in the selected subscription.

05 Click on the name (link) of the virtual machine (VM) scale set that you want to examine.

06 In the navigation panel, choose Overview, and select the Properties tab to view the configuration properties available for the selected VM scale set.

07 In the Networking section, check the Public IP address attribute value to determine if your VM scale set is using a public IP address. If the Public IP address attribute value is a public IP address, the selected Azure virtual machine scale set is configured with public a IP address.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-project5-scale-set   cloud-shell-storage-westeurope
cc-backend-scale-set    cloud-shell-storage-westeurope

05 Run vmss list-instance-public-ips command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to examine as the identifier parameter, to describe the public IP address assigned to the selected VM scale set:

az vmss list-instance-public-ips
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope
  --query '[*].ipAddress'

06 The command output should return the requested public IP address:

[
	"xxx.xxx.xxx.xxx"
]

If the vmss list-instance-public-ips command output returns an empty array, i.e. [], there is no public IP address assigned to the selected resource. If the command output returns a public IP address, as shown in the example above, the selected Azure virtual machine scale set is configured with public a IP address.

07 Repeat steps no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure virtual machine scale sets are not configured with public IP addresses, you have to re-create your VM scale sets with a different network configuration by performing the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine scale set, and choose Apply to list only the Azure virtual machine scale sets available in the selected subscription.

05 Click on the name (link) of the virtual machine scale set that you want to re-create (i.e. source VM scale set) and gather all the relevant configuration information available for the selected scale set.

06 Navigate to Virtual machine scale sets blade available at https://portal.azure.com/#browse/Microsoft.Compute%2FvirtualMachineScaleSets.

07 Choose Create and perform the following actions to deploy your new virtual machine scale set:

  1. For Basics, provide the following information:
    1. For Project details, use the Subscription and Resource group controls to choose the Azure subscription and the resource group where you want to deploy your new virtual machine scale set.
    2. For Scale set details, provide a unique name for the new scale set, select the appropriate region (must match the region of the source VM scale set), and select at least two Availability Zones (AZs) from the Availability zone dropdown list.
    3. For Orchestration, choose the appropriate orchestration mode and the security type for your new scale set.
    4. For Scaling, choose the correct scaling mode (must match the scaling mode of the source VM scale set).
    5. For Instance details, configure the size of the virtual machines (VMs) deployed to the scale set and choose the base operating system or application for these VMs, based on the configuration information collected at step no. 5.
    6. For Administrator account, choose whether the administrator account will use a username and a password or SSH keys for authentication.
    7. Choose Next : Spot > to continue the setup process.
  2. (Optional) For Spot, you can configure the Azure Spot instance settings in order to get significant workload savings. Your applications should be able to tolerate interruptions or infrastructure loss when Microsoft Azure needs the capacity elsewhere. Choose Next : Disks > to continue.
  3. For Disks, enable the Azure disk storage encryption and configure the scale set disk options. Choose Next : Networking > to continue the setup.
  4. For Networking, perform the following actions:
    1. For Network interface, click on the Edit button (pencil icon) of the provisioned network interface (NIC), choose Disabled under Public IP address to disable the public IP address assignment, and select OK to save the changes. You can also customize the network interface settings at this point to match the source VM scale set NIC configuration.
    2. For Load balancing, choose Azure load balancer to place the VMs in the backend pool behind a public load balancer. For Select a load balancer, select an existing load balancer from the load balancers list or choose Create a load balancer to create a new Azure load balancer. The type of the selected load balancer must be Public. To allow traffic from your load balancer, you must update the appropriate port configuration on your network security group associated with your network interface (NIC). Choose Next : Management > to continue.
  5. For Management, you can configure the monitoring and management options for your VM scale set instances. Choose Next : Health > to continue the setup process.
  6. For Health, you can enable health monitoring on an application endpoint in order to update the status of the application on that VM instance. This VM instance status is required to enable platform managed upgrades such as automatic OS updates and VM instance upgrades. Choose Next : Advanced > to continue the setup.
  7. For Advanced, add additional configuration, agents, scripts, or applications through VM extensions or cloud-init (must match the configuration of the source VM scale set). Choose Next : Tags > to continue the setup process.
  8. For Tags, create any required tag sets, according to the source scale set tagging scheme. Choose Next : Review + create > to continue.
  9. For Review + create, wait for the validation results. Once the review is done and the validation has passed, choose Create to create your new virtual machine (VM) scale set.

08 Migrate any application data from the source virtual machine scale set to the destination Azure virtual machine scale set.

09 To remove the non-compliant scale set from your Azure cloud account in order to eliminate unnecessary costs, navigate back to the Virtual machine scale sets blade, select the VM scale set that you want to remove, and choose Delete.

10 On the Delete Resources panel, enter delete to confirm deletion, and choose Delete. Select Delete for confirmation.

11 Repeat steps no. 5 – 10 for each Azure virtual machine scale set that you want to re-create, available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss show command (Windows/macOS/Linux) with the name of the virtual machine (VM) scale set that you want to re-create as the identifier parameter, to describe all the configuration information available for the selected VM scale set:

az vmss show
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope

02 The command output should return the requested information:

{
	"location": "westeurope",
	"name": "cc-project5-scale-set",
	"overprovision": true,
	"platformFaultDomainCount": 5,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"singlePlacementGroup": false,
	"sku": {
		"capacity": 2,
		"name": "Standard_DS1_v2",
		"tier": "Standard"
	},
	"type": "Microsoft.Compute/virtualMachineScaleSets",
	"virtualMachineProfile": {
		"diagnosticsProfile": {
			"bootDiagnostics": {
			"enabled": true,
			"storageUri": "https://abcdabcd.blob.core.windows.net/"
			}
		}

		...


		"storageProfile": {
			"imageReference": {
				"offer": "UbuntuServer",
				"publisher": "Canonical",
				"sku": "Ubuntu2204",
				"version": "latest"
			},
			"osDisk": {
				"caching": "ReadWrite",
				"createOption": "FromImage",
				"diskSizeGb": 30,
				"managedDisk": {
					"diskEncryptionSet": null,
					"storageAccountType": "Premium_LRS"
				}
			}
		}
	},
	"zones": [
		"1"
	]
}

03 Run vmss create command (Windows/macOS/Linux) with the configuration information returned at the previous step, as input for the vmss create command parameters, to create a new Azure virtual machine scale set with a public load balancer specified by the --load-balancer parameter:

az vmss create
  --name cc-project5-new-scale-set
  --resource-group cloud-shell-storage-westeurope
  --image Ubuntu2204
  --vm-sku Standard_DS1_v2
  --instance-count 2
  --os-disk-size-gb 30
  --upgrade-policy-mode automatic
  --admin-username azureuser
  --generate-ssh-keys
  --zones 1 2
  --orchestration-mode Uniform
  --load-balancer cc-vmss-load-balancer

04 The command output should return the configuration information available for the new VM scale set:

{
	"vmss": {
		"doNotRunExtensionsOnOverprovisionedVMs": false,
		"orchestrationMode": "Uniform",
		"overprovision": true,
		"platformFaultDomainCount": 1,
		"provisioningState": "Succeeded",
		"virtualMachineProfile": {
			"securityProfile": {
				"securityType": "TrustedLaunch",
				"uefiSettings": {
					"secureBootEnabled": true,
					"vTpmEnabled": true
				}
			},

			...

			"storageProfile": {
				"diskControllerType": "SCSI",
				"imageReference": {
					"offer": "0001-com-ubuntu-server-jammy",
					"publisher": "Canonical",
					"sku": "22_04-lts-gen2",
					"version": "latest"
				}
			},
			"timeCreated": "2024-08-18T16:00:40.3325600+00:00"
		}
	}
}

05 Migrate any application data from the source virtual machine scale set to the destination Azure virtual machine scale set.

06 To remove the non-compliant VM scale set from your Azure cloud account in order to eliminate unnecessary costs, run vmss delete command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to delete as the identifier parameter (the command does not produce an output):

az vmss delete
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope

07 Repeat steps no. 1 – 6 for each Azure virtual machine scale set that you want to re-create, deployed in the selected subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 27, 2024