Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

galleries

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
A minimum of three replicas should be kept for production image versionsMediumHigh AvailabilityYesVerified
Zone redundant storage should be used for image versionsMediumHigh AvailabilityYesVerified
Consider creating TrustedLaunchSupported images where possibleLowHigh AvailabilityYesVerified

Details

A minimum of three replicas should be kept for production image versions

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  b49a39fd-f431-4b61-9062-f2157849d845

Description:

Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.

Potential Benefits:

Enhances scalability and avoids throttling
Learn More:
Compute Gallery best practices

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Query to list all image versions,its associated image name and version replica configurations per region in a compute gallery whose version replicas is less than 3
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| mv-expand VersionReplicas = properties.publishingProfile.targetRegions
| project RecommendationId="b49a39fd-f431-4b61-9062-f2157849d845",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("VersionReplicaRegionName: ",VersionReplicas.name),param4=strcat("VersionReplicationCount: ",VersionReplicas.regionalReplicaCount),rc=toint(VersionReplicas.regionalReplicaCount)
| where rc < 3
| project-away rc

Zone redundant storage should be used for image versions

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  488dcc8b-f2e3-40ce-bf95-73deb2db095f

Description:

Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.

Potential Benefits:

Enhances image version availability
Learn More:
Compute Gallery best practices
Zone-redundant storage

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType)
| where StorageAccountType !has "ZRS"
| project RecommendationId="488dcc8b-f2e3-40ce-bf95-73deb2db095f",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("StorageAccountType: ",StorageAccountType)

Consider creating TrustedLaunchSupported images where possible

Impact:  Low Category:  High Availability PG Verified:  Verified

APRL GUID:  1c5e1e58-4e56-491c-8529-10f37af9d4ed

Description:

We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.

Potential Benefits:

Enhances VM security and features
Learn More:
Compute Gallery best practices
Generation 1 vs Generation 2 in Hyper-V
Images in Compute gallery

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Query to list all images whose Hyper-V generation is not V2
resources
| where type =~ "microsoft.compute/galleries/images"
| extend VMGeneration = properties.hyperVGeneration
| where VMGeneration <> 'V2'
| project RecommendationId="1c5e1e58-4e56-491c-8529-10f37af9d4ed",name,id,tags,param1=strcat("VMGeneration: ",VMGeneration)