Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.
Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.
Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UDs) for better reliability.
Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.
A data disk is a managed disk attached to a virtual machine for storing database or other essential data. These disks are SCSI drives labeled as per choice.
Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.
Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs.
Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types.
When AccelNet is enabled, you must manually update the GuestOS NIC driver
Impact:LowCategory:GovernancePG Verified:Verified
Description:
When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.
For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports.
VM network interfaces and associated subnets both have a Network Security Group associated
Impact:LowCategory:SecurityPG Verified:Verified
Description:
Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations.
IP forwarding allows a virtual machine network interface to receive and send network traffic not destined for or originating from its assigned IP addresses.
Shared disks should only be enabled in clustered servers
Impact:MediumCategory:Other Best PracticesPG Verified:Verified
Description:
Azure shared disks let you attach a disk to multiple VMs at once for deploying or migrating clustered applications, suitable only when a disk is shared among VM cluster members.
Network access to the VM disk should be set to Disable public access and enable private access
Impact:LowCategory:SecurityPG Verified:Verified
Description:
Recommended changing to "Disable public access and enable private access" and creating a Private Endpoint to improve security by restricting direct public access and ensuring connections are made privately, enhancing data protection and minimizing potential external threats.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//FindallDiskswith"Enable public access from all networks"enabledresources|wheretype=~'Microsoft.Compute/disks'|whereproperties.publicNetworkAccess=="Enabled"|projectid,name,tags,lowerCaseDiskId=tolower(id)|joinkind=leftouter(resources|wheretype=~'Microsoft.Compute/virtualMachines'|projectosDiskVmName=name,lowerCaseOsDiskId=tolower(properties.storageProfile.osDisk.managedDisk.id)|joinkind=fullouter(resources|wheretype=~'Microsoft.Compute/virtualMachines'|mv-expanddataDisks=properties.storageProfile.dataDisks|projectdataDiskVmName=name,lowerCaseDataDiskId=tolower(dataDisks.managedDisk.id))on$left.lowerCaseOsDiskId==$right.lowerCaseDataDiskId|projectlowerCaseDiskId=coalesce(lowerCaseOsDiskId,lowerCaseDataDiskId),vmName=coalesce(osDiskVmName,dataDiskVmName))onlowerCaseDiskId|summarizevmNames=make_set(vmName)byname,id,tostring(tags)|extendparam1=iif(isempty(vmNames[0]),"VMName: n/a",strcat("VMName: ",strcat_array(vmNames,", ")))|projectrecommendationId="70b1d2be-e6c4-b54e-9959-b1b690f9e485",name,id,tags,param1|orderbyidasc
Ensure that your VMs are compliant with Azure Policies
Impact:LowCategory:GovernancePG Verified:Verified
Description:
Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications.
Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled
Impact:HighCategory:SecurityPG Verified:Verified
Description:
Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security.
Click the Azure Resource Graph tab to view the query
//under-development
Enable VM Insights
Impact:LowCategory:Monitoring and AlertingPG Verified:Verified
Description:
VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.
Configure monitoring for all Azure Virtual Machines
Impact:LowCategory:Monitoring and AlertingPG Verified:Verified
Description:
Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.
The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.
A-series VMs are tailored for entry-level workloads like development and testing, including use cases such as development and test servers, low traffic web servers, and small to medium databases.
Compared to Standard HDD and SSD, Premium SSD, SSDv2, and Ultra SSDs offer improved performance, configurability, and higher single-instance Virtual Machine uptime SLAs. The lowest SLA of all disks on a Virtual Machine applies, so it is best to use Premium or Ultra Disks for the highest uptime SLA.
Potential Benefits:
Enhanced performance, cost efficiency, and uptime SLA
If the workload is Maintenance sensitive, consider Azure Boost compatible VMs. Azure Boost is designed to lessen the impact on customers when Azure maintenance activities occur on the host, and the current list of compatible VM sizes are documented in the first link below.
If your workload is Maintenance sensitive, enable Scheduled Events. This Azure Metadata Service lets your app prepare for virtual machine maintenance by providing information on upcoming events like reboots, reducing disruptions.
Azure disks offers a zone-redundant storage (ZRS) option for workloads that need to be resilient to an entire zone being down. Due to the cross-zone data replication, ZRS disks have higher write latency when compared to the locally-redundant option (LRS), so make sure to benchmark your disks.
Azure Capacity Reservations ensure high availability for virtual machines by reserving compute capacity in advance within a specific region or availability zone. This guarantees that VMs will have the necessary resources during peak demand or maintenance events, enhancing reliability and uptime.