virtualMachineScaleSets
Summary
Details
Deploy VMSS with Flex orchestration mode instead of Uniform
Impact: Medium Category: Scalability PG Verified: Verified
Description:
Deploying even single instance VMs into a scale set with Flexible orchestration mode future-proofs applications for scaling and availability. This mode guarantees high availability (up to 1000 VMs) by distributing VMs across fault domains in a region or within an Availability Zone.
Potential Benefits:
Higher scalability and availability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all zonal VMs that are NOT deployed with Flex orchestration mode
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| where properties.orchestrationMode != "Flexible"
| project recommendationId = "e7495e1c-0c75-0946-b266-b429b5c7f3bf", name, id, tags, param1 = strcat("orchestrationMode: ", tostring(properties.orchestrationMode))
Enable VMSS application health monitoring
Impact: Medium Category: Monitoring and Alerting PG Verified: Verified
Description:
Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading.
Potential Benefits:
Enhances deployment management and upgrades
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that do NOT have health monitoring enabled
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| join kind=leftouter (
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| mv-expand extension=properties.virtualMachineProfile.extensionProfile.extensions
| where extension.properties.type in ( "ApplicationHealthWindows", "ApplicationHealthLinux" )
| project id
) on id
| where id1 == ""
| project recommendationId = "94794d2a-eff0-2345-9b67-6f9349d0a627", name, id, tags, param1 = "extension: null"
Enable Automatic Repair policy
Impact: High Category: Automation PG Verified: Verified
Description:
Enabling automatic instance repairs in Azure Virtual Machine Scale Sets enhances application availability through a continuous health check and maintenance process.
Potential Benefits:
Boosts app availability by auto-repair
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that do NOT have automatic repair policy enabled
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| where properties.automaticRepairsPolicy.enabled == false
| project recommendationId = "820f4743-1f94-e946-ae0b-45efafd87962", name, id, tags, param1 = "automaticRepairsPolicy: Disabled"
Configure VMSS Autoscale to custom and configure the scaling metrics
Impact: High Category: Scalability PG Verified: Verified
Description:
Use custom autoscale for VMSS based on metrics and schedules to improve performance and cost effectiveness, adjusting instances as demand changes.
Potential Benefits:
Enhances performance and cost-efficiency
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find VMSS instances associated with autoscale settings when autoscale is disabled
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| project name, id, tags
| join kind=leftouter (
resources
| where type == "microsoft.insights/autoscalesettings"
| where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets"
| project id = tostring(properties.targetResourceUri), autoscalesettings = properties
) on id
| where isnull(autoscalesettings) or autoscalesettings.enabled == "false"
| project recommendationId = "ee66ff65-9aa3-2345-93c1-25827cf79f44", name, id, tags, param1 = "autoscalesettings: Disabled"
| order by id asc
Enable Predictive autoscale and configure at least for Forecast Only
Impact: Low Category: Scalability PG Verified: Verified
Description:
Predictive autoscale utilizes machine learning to efficiently manage and scale Azure Virtual Machine Scale Sets by forecasting CPU load through historical usage analysis, ensuring timely scale-out to meet demand.
Potential Benefits:
Optimizes scaling with ML predictions
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find VMSS instances associated with autoscale settings when predictiveAutoscalePolicy_scaleMode is disabled
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| project name, id, tags
| join kind=leftouter (
resources
| where type == "microsoft.insights/autoscalesettings"
| where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets"
| project id = tostring(properties.targetResourceUri), autoscalesettings = properties
) on id
| where autoscalesettings.enabled == "true" and autoscalesettings.predictiveAutoscalePolicy.scaleMode == "Disabled"
| project recommendationId = "3f85a51c-e286-9f44-b4dc-51d00768696c", name, id, tags, param1 = "predictiveAutoscalePolicy_scaleMode: Disabled"
| order by id asc
Disable Force strictly even balance across zones to avoid scale in and out fail attempts
Impact: High Category: High Availability PG Verified: Verified
Description:
Microsoft advises disabling strictly even VM instance distribution across Availability Zones in VMSS to improve scalability and flexibility, noting that uneven distribution may better serve application load demands despite the potential trade-off in resilience.
Potential Benefits:
Improves scaling, reduces fail attempts
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find VMSS instances where strictly zoneBalance is set to True
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| where properties.orchestrationMode == "Uniform" and properties.zoneBalance == true
| project recommendationId = "b5a63aa0-c58e-244f-b8a6-cbba0560a6db", name, id, tags, param1 = "strictly zoneBalance: Enabled"
| order by id asc
Deploy VMSS across availability zones with VMSS Flex
Impact: High Category: High Availability PG Verified: Verified
Description:
When creating VMSS, implement availability zones as a protection measure for your applications and data against the rare event of datacenter failure.
Potential Benefits:
Enhances disaster resilience
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find VMSS instances with one or no Zones selected
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| where array_length(zones) <= 1 or isnull(zones)
| project recommendationId = "1422c567-782c-7148-ac7c-5fc14cf45adc", name, id, tags, param1 = "AvailabilityZones: Single Zone"
| order by id asc
Set Patch orchestration options to Azure-orchestrated
Impact: Low Category: Automation PG Verified: Verified
Description:
Enabling automatic VM guest patching eases update management by safely, automatically patching virtual machines to maintain security compliance, while limiting blast radius of VMs. Note, the KQL will not return sets using Uniform orchestration.
Potential Benefits:
Eases patch management, enhances security
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph query
// Identifies VMs and VMSS with manual patch settings, excluding automatic patch modes
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| join kind=inner (
resources
| where type == "microsoft.compute/virtualmachines"
| project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties
) on id
| extend recommendationId = "e4ffd7b0-ba24-c84e-9352-ba4819f908c0", param1 = "patchMode: Manual", vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode
| where isnotnull(vmproperties.osProfile.linuxConfiguration) and vmproperties.osProfile.linuxConfiguration.patchSettings.patchMode !in ("AutomaticByPlatform", "AutomaticByOS")
| distinct recommendationId, name, id, param1
| union (resources
| where type == "microsoft.compute/virtualmachinescalesets"
| join kind=inner (
resources
| where type == "microsoft.compute/virtualmachines"
| project id = tostring(properties.virtualMachineScaleSet.id), vmproperties = properties
) on id
| extend recommendationId = "e4ffd7b0-ba24-c84e-9352-ba4819f908c0", param1 = "patchMode: Manual", vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode
| where isnotnull(vmproperties.osProfile.windowsConfiguration) and vmproperties.osProfile.windowsConfiguration.patchSettings.patchMode !in ("AutomaticByPlatform", "AutomaticByOS")
| distinct recommendationId, name, id, param1)
Upgrade VMSS Image versions scheduled to be deprecated or already retired
Impact: High Category: Governance PG Verified: Verified
Description:
Ensure current versions of images are in use to avoid disruption after image deprecation. Please review the publisher, offer, sku information of the VM to ensure you are running on a supported image. Enable Auto Guest Patching or Image Upgrades, to get notifications about image deprecation.
Potential Benefits:
Avoid disruptions by updating VMSS images.
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
//cannot be validated with arg
Production VMSS instances should be using SSD disks
Impact: High Category: Scalability PG Verified: Verified
Description:
Using SSD disks for Production workloads is advised as HDDs could negatively impact resources, being suitable only for non-critical resources or those needing infrequent access.
Potential Benefits:
Faster access and reliability for VMSS
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMSSs Uniform not using SSD storage
resources
| where type == "microsoft.compute/virtualmachinescalesets"
| where properties.orchestrationMode != "Flexible"
| where properties.virtualMachineProfile.storageProfile.osDisk.managedDisk.storageAccountType == 'Standard_LRS'
| project recommendationId = "1074f391-22bf-42f5-9c95-68af5ad89bf6", name, id, tags