Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unused Load Balancers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VirtualMachines-030

Identify any unused load balancers available within your Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to cloud resource management. A Microsoft Azure load balancer is considered unused when it doesn't have any associated backend pool instances. The backend pool instances can be individual virtual machines or instances running within a virtual machine scale set.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Cost
optimisation

Removing Azure cloud components that aren't being utilized, like the load balancers, will help you avoid unexpected charges on your Azure bill. In order to adhere to Azure cloud best practices and achieve regulatory compliance, every unused load balancer should be deleted for cost optimization and better management of your cloud resources.


Audit

To identify unused Microsoft Azure load balancers, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Load balancer to show only the Azure load balancers created in the selected subscription.

05 Click on the name of the load balancer that you want to examine.

06 In the navigation panel, under Settings, select Backend pools to access the backend pools created for the selected load balancer.

07 Click on the name of the backend pool that you want to examine.

08 On the selected backend pool configuration details page, check for any backend instances listed in the Virtual machines and Virtual machine scale sets sections. If there are no virtual machines and virtual machines scale sets listed on this page, the selected load balancer backend pool does not have any backend instances attached anymore.

09 Repeat step no. 7 and 8 to check all the backend pools created for the selected load balancer. If the verified backend pools do not contain any virtual machines and scale sets, the selected Microsoft Azure load balancer is not being used and can be safely removed from your cloud account.

10 Repeat steps no. 5 – 9 for each Azure load balancer available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers:

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run network lb list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each load balancer deployed in the selected Azure subscription:

az network lb list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested load balancer identifiers:

Name                       ResourceGroup
-------------------------  ------------------------------
cc-frontend-load-balancer  cloud-shell-storage-westeurope
cc-web-app-load-balancer   cloud-shell-storage-westeurope

05 Run network lb show command (Windows/macOS/Linux) using the name of the Azure load balancer that you want to examine as identifier parameter, to describe the ID of each backend pool instance IP configuration attached to the selected load balancer. A backend pool instance can be any virtual machine instance or VM scale set instance associated with the load balancer:

az network lb show
	--name cc-frontend-load-balancer
	--resource-group cloud-shell-storage-westeurope
	--query 'backendAddressPools[*].backendIpConfigurations[*].id | []'

06 The command output should return the requested IP configuration ID(s):

[]

If the network lb show command output returns an empty array, as shown in the example above, there are no backend pool instances attached to the load balancer, therefore the selected Microsoft Azure load balancer is considered unused and can be safely removed from your cloud account.

07 Repeat step no. 5 and 6 for each Azure load balancer deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To remove unused Microsoft Azure load balancers from your cloud account in order to lower the cost of your monthly Azure bill, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Load balancer to list only the Azure load balancers available in the selected subscription.

05 Click on the name of the load balancer that you want to remove.

06 In the navigation panel, select Overview, and click Delete to initiate the resource removal.

07 In the Delete load balancer confirmation box, click Yes to confirm the load balancer removal.

08 Repeat steps no. 5 – 7 to delete other unused Azure load balancers available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network lb delete command (Windows/macOS/Linux) using the name of the unused load balancer that you want to delete as identifier parameter (see Audit section part II to identify the right resource), to remove the selected Microsoft Azure load balancer from your Azure cloud account (the command does not produce an output):

az network lb delete
	--name cc-frontend-load-balancer
	--resource-group cloud-shell-storage-westeurope

02 Repeat step no. 1 to remove other unused Azure load balancers deployed in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 9, 2020