Check for Zone-Redundant Virtual Machine Scale Sets

Risk Level: High (not acceptable risk)

Rule ID: VirtualMachines-027

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect the scale sets from datacenter-level failures.

This rule resolution is part of the Conformity solution.

Security

When you deploy a virtual machine scale set, you can choose to use a single Availability Zone (AZ) or multiple Availability Zones (AZs). A zone-redundant virtual machine scale set represents a single scale set that spans multiple AZs. As virtual machine instances are created within the scale set, they are evenly balanced across AZs. This availability configuration helps to protect your applications and data from a zone failure or loss of an entire AZ. With zone-redundancy, one or more Availability Zones can fail and the data path survives as long as one AZ in the region remains healthy.

Audit

To determine the availability configuration of your Microsoft Azure VM scale sets, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine scale set, and choose Apply to list only the Azure virtual machine scale sets available in the selected subscription.

05 Click on the name (link) of the virtual machine scale set that you want to examine.

06 In the resource navigation panel, under Settings, select Properties to view the configuration properties available for the selected VM scale set.

07 On the Properties page, check the number of Availability Zones (AZs) configured for your scale set, listed under Availability zone. If the selected Azure virtual machine scale set has only one Availability Zone listed, the scale set is using a single-zone availability configuration instead of a zone-redundant configuration.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-project5-scale-set   cloud-shell-storage-westeurope
cc-backend-scale-set    cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to examine as the identifier parameter, to describe the number of each Availability Zone (AZ) configured for the selected VM scale set:

az vmss show
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope
  --query 'zones'

06 The command output should return the requested AZ information:

[
  "1"
]

If the vmss show command output returns just one Availability Zone, as shown in the example above, the selected Azure virtual machine scale set can launch instances within a single Availability Zone, therefore, the VM scale set is using a single-zone availability configuration instead of a zone-redundant configuration.

07 Repeat steps no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable zone redundancy for your Microsoft Azure virtual machine scale sets you have to re-create the scale sets with a zone-redundant availability configuration by performing the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the virtual machine scale set that you want to re-create (i.e. source VM scale set) and gather all the relevant configuration information available for the selected scale set.

06 Navigate to Virtual machine scale sets blade available at https://portal.azure.com/#browse/Microsoft.Compute%2FvirtualMachineScaleSets.

07 Choose Create and perform the following actions to deploy your new virtual machine scale set:

For Basics, provide the following information:
1. For Project details, use the Subscription and Resource group controls to choose the Azure subscription and the resource group where you want to deploy your new virtual machine scale set.
2. For Scale set details, provide a unique name for the new scale set, select the appropriate region (must match the region of the source VM scale set), and select at least two Availability Zones (AZs) from the Availability zone dropdown list. Ideally, a zone-redundant configuration should have all the supported Availability Zones (e.g. zones 1, 2 and 3) selected at this step.
3. For Orchestration, choose the appropriate orchestration mode and the security type for your new scale set.
4. For Scaling, choose the correct scaling mode (must match the scaling mode of the source VM scale set).
5. For Instance details, configure the size of the virtual machines (VMs) deployed to the scale set and choose the base operating system or application for these VMs, based on the configuration information collected at step no. 5.
6. For Administrator account, choose whether the administrator account will use a username and a password or SSH keys for authentication.
7. Choose Next : Spot > to continue the setup process.
(Optional) For Spot, you can configure the Azure Spot instance settings in order to get significant workload savings. Your applications should be able to tolerate interruptions or infrastructure loss when Microsoft Azure needs the capacity elsewhere. Choose Next : Disks > to continue.
For Disks, enable the Azure disk storage encryption and configure the scale set disk options. Choose Next : Networking > to continue the setup.
For Networking, configure the network connectivity settings for your scale set (must match the network settings of the source VM scale set). You can control ports, inbound and outbound access with security group rules, or place the VMs in the backend pool behind an existing load balancing solution. Choose Next : Management > to continue.
For Management, you can configure the monitoring and management options for your VM scale set instances. Choose Next : Health > to continue the setup process.
For Health, you can enable health monitoring on an application endpoint in order to update the status of the application on that VM instance. This VM instance status is required to enable platform managed upgrades such as automatic OS updates and VM instance upgrades. Choose Next : Advanced > to continue the setup.
For Advanced, add additional configuration, agents, scripts, or applications through VM extensions or cloud-init. Choose Next : Tags > to continue the setup process.
For Tags, create any required tag sets, according to the source scale set tagging scheme. Choose Next : Review + create > to continue.
For Review + create, wait for the validation results. Once the review is done and the validation has passed, choose Create to create your new zone-redundant virtual machine (VM) scale set.

08 Migrate any application data from the source (single-zone) virtual machine scale set to the destination (zone-redundant) Azure virtual machine scale set.

09 To remove the non-compliant scale set from your Azure cloud account in order to eliminate unnecessary costs, navigate back to the Virtual machine scale sets blade, select the VM scale set that you want to remove, and choose Delete.

10 On the Delete Resources panel, enter delete to confirm deletion, and choose Delete. Select Delete for confirmation.

11 Repeat steps no. 5 – 10 to enable zone redundancy for other Azure virtual machine scale set available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss show command (Windows/macOS/Linux) with the name of the virtual machine (VM) scale set that you want to re-create as the identifier parameter, to describe all the configuration information available for the selected VM scale set:

az vmss show
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope

02 The command output should return the requested information:

{
	"location": "westeurope",
	"name": "cc-project5-scale-set",
	"overprovision": true,
	"platformFaultDomainCount": 5,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"singlePlacementGroup": false,
	"sku": {
		"capacity": 3,
		"name": "Standard_DS1_v2",
		"tier": "Standard"
	},
	"type": "Microsoft.Compute/virtualMachineScaleSets",
	"virtualMachineProfile": {
		"diagnosticsProfile": {
			"bootDiagnostics": {
			"enabled": true,
			"storageUri": "https://abcdabcd.blob.core.windows.net/"
			}
		}

		...


		"storageProfile": {
			"imageReference": {
				"offer": "UbuntuServer",
				"publisher": "Canonical",
				"sku": "18.04-LTS",
				"version": "latest"
			},
			"osDisk": {
				"caching": "ReadWrite",
				"createOption": "FromImage",
				"diskSizeGb": 30,
				"managedDisk": {
					"diskEncryptionSet": null,
					"storageAccountType": "Premium_LRS"
				}
			}
		}
	},
	"zones": [
		"1"
	]
}

03 Run vmss create command (Windows/macOS/Linux) with the configuration information returned at the previous step, as input for the vmss create command parameters, to create a new, zone-redundant Azure virtual machine scale set. To configure the new scale set for zone redundancy, add the names of the Availability Zones (i.e. 1, 2, and 3) to the --zones command parameter:

az vmss create
  --name cc-project5-new-scale-set
  --resource-group cloud-shell-storage-westeurope
  --image UbuntuLTS
  --vm-sku Standard_DS1_v2
  --instance-count 3
  --os-disk-size-gb 30
  --upgrade-policy-mode automatic
  --admin-username azureuser
  --generate-ssh-keys
  --zones 1 2 3

04 The command output should return the configuration information available for the new VM scale set:

{
	"location": "westeurope",
	"name": "cc-project5-new-scale-set",
	"overprovision": true,
	"platformFaultDomainCount": 5,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",

	...

	"sku": {
	"capacity": 3,
	"name": "Standard_DS1_v2",
	"tier": "Standard"
	},
	"type": "Microsoft.Compute/virtualMachineScaleSets"
}

05 Migrate any application data from the source (single-zone) virtual machine scale set to the destination (zone-redundant) Azure virtual machine scale set.

06 To remove the non-compliant VM scale set from your Azure cloud account in order to eliminate unnecessary costs, run vmss delete command (Windows/macOS/Linux) with the name of the virtual machine scale set that you want to delete as the identifier parameter (the command does not produce an output):

az vmss delete
  --name cc-project5-scale-set
  --resource-group cloud-shell-storage-westeurope

07 Repeat steps no. 1 – 6 to enable zone redundancy for other Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
What are virtual machine scale sets?
Create a virtual machine scale set that uses Availability Zones

Azure Command Line Interface (CLI) Documentation
az account
az vmss
az vmss show
az vmss create

Publication date Jul 8, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Check for Zone-Redundant Virtual Machine Scale Sets

Risk Level: High

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related VirtualMachines rules