Compute Gallery

The presented resiliency recommendations in this guidance include Compute Gallery and dependent resources and settings.

Summary of Recommendations

Recommendations Details

CG-1 - A minimum of three replicas should be kept for production image versions

Category: Availability

Impact: Medium

Guidance

Keep a minimum of 3 replicas for production images. In multi-VM deployment scenarios the VM deployments can be spread to different replicas reducing the chance of instance creation processing being throttled due to overloading of a single replica. For every 20 VMs that you create concurrently, we recommend you keep one replica. For example, if you create 1000 VMs concurrently, you should keep 50 replicas (you can have a maximum of 50 replicas per region). To update the replica count, please go to the gallery -> Image Definition -> Image Version -> Update replication.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Query to list all image versions,its associated image name and version replica configurations per region in a compute gallery whose version replicas is less than 3
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| mv-expand VersionReplicas = properties.publishingProfile.targetRegions
| project RecommendationId="cg-1",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("VersionReplicaRegionName: ",VersionReplicas.name),param4=strcat("VersionReplicationCount: ",VersionReplicas.regionalReplicaCount),rc=toint(VersionReplicas.regionalReplicaCount)
| where rc < 3
| project-away rc



CG-2 - Zone redundant storage should be used for image versions

Category: Availability

Impact: Medium

Guidance

Use ZRS wherever available for high availability. You can configure ZRS in the replication tab when you create a version of the image or VM application. Azure Zone Redundant Storage (ZRS) provides resilience against an Availability Zone failure in the region. With the general availability of Azure Compute Gallery, you can choose to store your images in ZRS accounts in regions with Availability Zones. You can also choose the account type for each of the target regions. The default storage account type is Standard_LRS, but it is recommended to select Standard_ZRS for regions with Availability Zones.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS
resources
| where type =~ "microsoft.compute/galleries/images/versions"
| extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10])
| extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType)
| where StorageAccountType !has "ZRS"
| project RecommendationId="cg-2",name,id,tags,param1=strcat("GalleryName: ",GalleryName),param2=strcat("ImageName: ",ImageName),param3=strcat("StorageAccountType: ",StorageAccountType)



CG-3 - Consider creating TrustedLaunchSupported images where possible

Category: Access & Security

Impact: Low

Guidance

We recommend that you create a Trusted Launch Supported Images to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Trusted Launch Supported Images are Gen 2 Images by default. You can’t change a virtual machine’s generation after you’ve created it. So it is recommended to review the considerations first.

Resources

Resource Graph Query

// Azure Resource Graph Query
// Query to list all images whose Hyper-V generation is not V2
resources
| where type =~ "microsoft.compute/galleries/images"
| extend VMGeneration = properties.hyperVGeneration
| where VMGeneration <> 'V2'
| project RecommendationId="cg-3",name,id,tags,param1=strcat("VMGeneration: ",VMGeneration)