galleries
Summary
Details
A minimum of three replicas should be kept for production image versions
Impact: Medium Category: High Availability
APRL GUID: b49a39fd-f431-4b61-9062-f2157849d845
Description:
Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.
Potential Benefits:
Enhances scalability and avoids throttling
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Query to list all image versions,its associated image name and version replica configurations per region in a compute gallery whose version replicas is less than 3
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| mv-expand VersionReplicas = properties.publishingProfile.targetRegions
| project RecommendationId="b49a39fd-f431-4b61-9062-f2157849d845",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("VersionReplicaRegionName: ",VersionReplicas.name),param4=strcat("VersionReplicationCount: ",VersionReplicas.regionalReplicaCount),rc=toint(VersionReplicas.regionalReplicaCount)
| where rc < 3
| project-away rc
Zone redundant storage should be used for image versions
Impact: Medium Category: High Availability
APRL GUID: 488dcc8b-f2e3-40ce-bf95-73deb2db095f
Description:
Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.
Potential Benefits:
Enhances image version availability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType)
| where StorageAccountType !has "ZRS"
| project RecommendationId="488dcc8b-f2e3-40ce-bf95-73deb2db095f",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("StorageAccountType: ",StorageAccountType)
Consider creating TrustedLaunchSupported images where possible
Impact: Low Category: High Availability
APRL GUID: 1c5e1e58-4e56-491c-8529-10f37af9d4ed
Description:
We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.
Potential Benefits:
Enhances VM security and features
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Query to list all images whose Hyper-V generation is not V2
resources
| where type =~ "microsoft.compute/galleries/images"
| extend VMGeneration = properties.hyperVGeneration
| where VMGeneration <> 'V2'
| project RecommendationId="1c5e1e58-4e56-491c-8529-10f37af9d4ed",name,id,tags,param1=strcat("VMGeneration: ",VMGeneration)
Create Image Versions replicas in secondary region
Impact: Medium Category: Disaster Recovery
APRL GUID: b14ee8ed-7d27-447b-b6fb-6472cb5f4b75
Description:
On multi-region deployments, replicate Image Versions to a secondary region to ensure disaster recovery capability. This ensures that the Image Versions are available in the secondary region in case of a disaster in the primary region.
Potential Benefits:
Enhances disaster recovery capability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Configure Image version replica count per region.
Impact: Medium Category: Disaster Recovery
APRL GUID: b3c3ba1d-7de6-442d-8c50-023330fbf765
Description:
You can set a different replica count in each target region, based on the scale needs for the region. For every 20 VMs that you create concurrently, we recommend you keep one replica.
Potential Benefits:
Enhances disaster recovery capability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development