virtualMachines
Summary
Details
Run production workloads on two or more VMs using VMSS Flex
Impact: High Category: High Availability
APRL GUID: 273f6b30-68e0-4241-85ea-acf15ffb60bf
Description:
Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.
Potential Benefits:
Enhanced fault/update resilience
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that are not associated with a VMSS Flex instance
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| where isnull(properties.virtualMachineScaleSet.id)
| project recommendationId="273f6b30-68e0-4241-85ea-acf15ffb60bf", name, id, tags
Deploy VMs across Availability Zones
Impact: High Category: High Availability
APRL GUID: 2bd0be95-a825-6f47-a8c6-3db1fb5eb387
Description:
Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.
Potential Benefits:
Enhanced VM resilience to failures
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that are not assigned to a Zone
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isnull(zones)
| project recommendationId="2bd0be95-a825-6f47-a8c6-3db1fb5eb387", name, id, tags, param1="No Zone"
Migrate VMs using availability sets to VMSS Flex
Impact: High Category: High Availability
APRL GUID: a8d25876-7951-b646-b4e8-880c9031596b
Description:
While availability sets are not scheduled for immediate deprecation, they are planned to be deprecated in the future. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) for better reliability.
Potential Benefits:
Enhances reliability and future-proofs VMs
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs using Availability Sets
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| where isnotnull(properties.availabilitySet)
| project recommendationId = "a8d25876-7951-b646-b4e8-880c9031596b", name, id, tags, param1=strcat("availabilitySet: ",properties.availabilitySet.id)
Replicate VMs using Azure Site Recovery
Impact: Medium Category: Disaster Recovery
APRL GUID: cfe22a65-b1db-fd41-9e8e-d573922709ae
Description:
Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.
Potential Benefits:
Minimize downtime in disasters
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that do NOT have replication with ASR enabled
resources
| where type =~ "Microsoft.Compute/virtualMachines"
| extend securityType = iif(isnull(properties.securityProfile.securityType), "Standard", properties.securityProfile.securityType)
| where securityType !in~ ("TrustedLaunch", "ConfidentialVM")
| project id, vmIdForJoin = tolower(id), name, tags
| join kind = leftouter (
recoveryservicesresources
| where type =~ "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems"
and properties.providerSpecificDetails.dataSourceInfo.datasourceType =~ "AzureVm"
| project vmResourceId = tolower(properties.providerSpecificDetails.dataSourceInfo.resourceId)
)
on $left.vmIdForJoin == $right.vmResourceId
| where isempty(vmResourceId)
| project recommendationId = "cfe22a65-b1db-fd41-9e8e-d573922709ae", name, id, tags
Use Managed Disks for VM disks
Impact: High Category: High Availability
APRL GUID: 122d11d7-b91f-8747-a562-f56b79bcfbdc
Description:
Azure is retiring unmanaged disks on September 30, 2025. Users should plan the migration to avoid disruptions and maintain service reliability.
Potential Benefits:
Avoid retirement disruption, enhance reliability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that are not using Managed Disks
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| where isnull(properties.storageProfile.osDisk.managedDisk)
| project recommendationId = "122d11d7-b91f-8747-a562-f56b79bcfbdc", name, id, tags
Backup VMs with Azure Backup service
Impact: Medium Category: Disaster Recovery
APRL GUID: 1981f704-97b9-b645-9c57-33f8ded9261a
Description:
Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.
Potential Benefits:
Secure data recovery and backup
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs that do NOT have Backup enabled
// Run query to see results.
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| project name, id, tags
| join kind=leftouter (
recoveryservicesresources
| where type =~ 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
| where properties.dataSourceInfo.datasourceType =~ 'Microsoft.Compute/virtualMachines'
| project idBackupEnabled=properties.sourceResourceId
| extend name=strcat_array(array_slice(split(idBackupEnabled, '/'), 8, -1), '/')
) on name
| where isnull(idBackupEnabled)
| project-away idBackupEnabled
| project-away name1
| project recommendationId = "1981f704-97b9-b645-9c57-33f8ded9261a", name, id, tags
| order by id asc
Enable Accelerated Networking (AccelNet)
Impact: Medium Category: Scalability
APRL GUID: dfedbeb1-1519-fc47-86a5-52f96cf07105
Description:
Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types.
Potential Benefits:
Reduces latency, jitter and CPU use
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VM NICs that do not have Accelerated Networking enabled
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| mv-expand nic = properties.networkProfile.networkInterfaces
| project name, id, tags, lowerCaseNicId = tolower(nic.id), vmSize = tostring(properties.hardwareProfile.vmSize)
| join kind = inner (
resources
| where type =~ 'Microsoft.Network/networkInterfaces'
| where properties.enableAcceleratedNetworking == false
| project nicName = split(id, "/")[8], lowerCaseNicId = tolower(id)
)
on lowerCaseNicId
| summarize nicNames = make_set(nicName) by name, id, tostring(tags), vmSize
| extend param1 = strcat("NicName: ", strcat_array(nicNames, ", ")), param2 = strcat("VMSize: ", vmSize)
| project recommendationId = "dfedbeb1-1519-fc47-86a5-52f96cf07105", name, id, tags, param1, param2
| order by id asc
When AccelNet is enabled, you must manually update the GuestOS NIC driver
Impact: Low Category: Governance
APRL GUID: 73d1bb04-7d3e-0d47-bc0d-63afe773b5fe
Description:
When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.
Potential Benefits:
Enhanced VM network efficiency
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
IP Forwarding should only be enabled for Network Virtual Appliances
Impact: Medium Category: Security
APRL GUID: 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad
Description:
IP forwarding allows a virtual machine network interface to receive and send network traffic not destined for or originating from its assigned IP addresses.
Potential Benefits:
Enhances network appliance function
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VM NICs that have IPForwarding enabled. This feature is usually only required for Network Virtual Appliances
Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| where isnotnull(properties.networkProfile.networkInterfaces)
| mv-expand nic=properties.networkProfile.networkInterfaces
| project name, id, tags, nicId = nic.id
| extend nicId = tostring(nicId)
| join kind=inner (
Resources
| where type =~ 'Microsoft.Network/networkInterfaces'
| where properties.enableIPForwarding == true
| project nicId = tostring(id)
) on nicId
| project recommendationId = "41a22a5e-5e08-9647-92d0-2ffe9ef1bdad", name, id, tags
| order by id asc
Enable VM Insights
Impact: Low Category: Monitoring and Alerting
APRL GUID: b72214bb-e879-5f4b-b9cd-642db84f36f4
Description:
VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.
Potential Benefits:
Improves VM performance and health
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Check for VMs without Azure Monitoring Agent extension installed, missing Data Collection Rule or Data Collection Rule without performance enabled.
Resources
| where type == 'microsoft.compute/virtualmachines'
| project idVm = tolower(id), name, tags
| join kind=leftouter (
InsightsResources
| where type =~ "Microsoft.Insights/dataCollectionRuleAssociations" and id has "Microsoft.Compute/virtualMachines"
| project idDcr = tolower(properties.dataCollectionRuleId), idVmDcr = tolower(substring(id, 0, indexof(id, "/providers/Microsoft.Insights/dataCollectionRuleAssociations/"))))
on $left.idVm == $right.idVmDcr
| join kind=leftouter (
Resources
| where type =~ "Microsoft.Insights/dataCollectionRules"
| extend
isPerformanceEnabled = iif(properties.dataSources.performanceCounters contains "Microsoft-InsightsMetrics" and properties.dataFlows contains "Microsoft-InsightsMetrics", true, false),
isMapEnabled = iif(properties.dataSources.extensions contains "Microsoft-ServiceMap" and properties.dataSources.extensions contains "DependencyAgent" and properties.dataFlows contains "Microsoft-ServiceMap", true, false)//,
| where isPerformanceEnabled or isMapEnabled
| project dcrName = name, isPerformanceEnabled, isMapEnabled, idDcr = tolower(id))
on $left.idDcr == $right.idDcr
| join kind=leftouter (
Resources
| where type == 'microsoft.compute/virtualmachines/extensions' and (name contains 'AzureMonitorWindowsAgent' or name contains 'AzureMonitorLinuxAgent')
| extend idVmExtension = tolower(substring(id, 0, indexof(id, '/extensions'))), extensionName = name)
on $left.idVm == $right.idVmExtension
| where isPerformanceEnabled != 1 or (extensionName != 'AzureMonitorWindowsAgent' and extensionName != 'AzureMonitorLinuxAgent')
| project recommendationId = "b72214bb-e879-5f4b-b9cd-642db84f36f4", name, id = idVm, tags, param1 = strcat('MonitoringExtension:', extensionName), param2 = strcat('DataCollectionRuleId:', idDcr), param3 = strcat('isPerformanceEnabled:', isPerformanceEnabled)
Configure monitoring for all Azure Virtual Machines
Impact: Low Category: Monitoring and Alerting
APRL GUID: 4a9d8973-6dba-0042-b3aa-07924877ebd5
Description:
Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.
Potential Benefits:
Enhanced diagnostics and auditing capability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Virtual Machines without diagnostic settings enabled/with diagnostic settings enabled but not configured both performance counters and event logs/syslogs.
resources
| where type =~ "microsoft.compute/virtualmachines"
| project name, id, tags, lowerCaseVmId = tolower(id)
| join kind = leftouter (
resources
| where type =~ "Microsoft.Compute/virtualMachines/extensions" and properties.publisher =~ "Microsoft.Azure.Diagnostics"
| project
lowerCaseVmIdOfExtension = tolower(substring(id, 0, indexof(id, "/extensions/"))),
extensionType = properties.type,
provisioningState = properties.provisioningState,
storageAccount = properties.settings.StorageAccount,
// Windows
wadPerfCounters = properties.settings.WadCfg.DiagnosticMonitorConfiguration.PerformanceCounters.PerformanceCounterConfiguration,
wadEventLogs = properties.settings.WadCfg.DiagnosticMonitorConfiguration.WindowsEventLog,
// Linux
ladPerfCounters = properties.settings.ladCfg.diagnosticMonitorConfiguration.performanceCounters.performanceCounterConfiguration,
ladSyslog = properties.settings.ladCfg.diagnosticMonitorConfiguration.syslogEvents
| extend
// Windows
isWadPerfCountersConfigured = iif(array_length(wadPerfCounters) > 0, true, false),
isWadEventLogsConfigured = iif(isnotnull(wadEventLogs) and array_length(wadEventLogs.DataSource) > 0, true, false),
// Linux
isLadPerfCountersConfigured = iif(array_length(ladPerfCounters) > 0, true, false),
isLadSyslogConfigured = isnotnull(ladSyslog)
| project
lowerCaseVmIdOfExtension,
extensionType,
provisioningState,
storageAccount,
isPerfCountersConfigured = case(extensionType =~ "IaaSDiagnostics", isWadPerfCountersConfigured, extensionType =~ "LinuxDiagnostic", isLadPerfCountersConfigured, false),
isEventLogsConfigured = case(extensionType =~ "IaaSDiagnostics", isWadEventLogsConfigured, extensionType =~ "LinuxDiagnostic", isLadSyslogConfigured, false)
)
on $left.lowerCaseVmId == $right.lowerCaseVmIdOfExtension
| where isempty(lowerCaseVmIdOfExtension) or provisioningState !~ "Succeeded" or not(isPerfCountersConfigured and isEventLogsConfigured)
| extend
param1 = strcat("DiagnosticSetting: ", iif(isnotnull(extensionType), strcat("Enabled, partially configured (", extensionType, ")"), "Not enabled")),
param2 = strcat("ProvisioningState: ", iif(isnotnull(provisioningState), provisioningState, "n/a")),
param3 = strcat("storageAccount: ", iif(isnotnull(storageAccount), storageAccount, "n/a")),
param4 = strcat("PerformanceCounters: ", case(isnull(isPerfCountersConfigured), "n/a", isPerfCountersConfigured, "Configured", "Not configured")),
param5 = strcat("EventLogs/Syslogs: ", case(isnull(isEventLogsConfigured), "n/a", isEventLogsConfigured, "Configured", "Not configured"))
| project recommendationId = "4a9d8973-6dba-0042-b3aa-07924877ebd5", name, id, tags, param1, param2, param3, param4, param5
Use maintenance configurations for the VMs
Impact: High Category: High Availability
APRL GUID: 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870
Description:
The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.
Potential Benefits:
Scheduled updates for VMs
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find VMS that do not have maintenance configuration assigned
Resources
| extend resourceId = tolower(id)
| project name, location, type, id, tags, resourceId, properties
| where type =~ 'Microsoft.Compute/virtualMachines'
| join kind=leftouter (
maintenanceresources
| where type =~ "microsoft.maintenance/configurationassignments"
| project planName = name, type, maintenanceProps = properties
| extend resourceId = tostring(maintenanceProps.resourceId)
) on resourceId
| where isnull(maintenanceProps)
| project recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",name, id, tags
| order by id asc
Don't use A or B-Series VMs for production needing constant full CPU performance
Impact: High Category: Scalability
APRL GUID: 3201dba8-d1da-4826-98a4-104066545170
Description:
A-series VMs are tailored for entry-level workloads like development and testing, including use cases such as development and test servers, low traffic web servers, and small to medium databases.
Potential Benefits:
Ensures full CPU usage for heavy tasks
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all VMs using A or B series families
resources
| where type == 'microsoft.compute/virtualmachines'
| where properties.hardwareProfile.vmSize contains "Standard_B" or properties.hardwareProfile.vmSize contains "Standard_A"
| project recommendationId = "3201dba8-d1da-4826-98a4-104066545170", name, id, tags, param1=strcat("vmSku: " , properties.hardwareProfile.vmSize)