Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Basic/Consumption SKU Should not be Used in Production

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Subscriptions-004

Ensure that the Basic/Consumption SKU is not used for Azure cloud resources that need to be monitored, such as production workloads. The following Azure resource types should use standard SKUs as a minimum:

  • Public IP Addresses
  • Network Load Balancers
  • SQL Databases
  • VPN Gateways
  • Redis Cache Clusters

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Operational
excellence
Reliability
Security

Utilizing Basic or Consumption SKUs in Azure cloud may offer cost savings, but they come with notable limitations in terms of monitoring capabilities and support from Microsoft. These SKUs generally lack a Service-Level Agreement (SLA) and Microsoft typically does not provide support for them. As a result, it is strongly advised against using Basic/Consumption SKUs for production workloads.

Audit

To determine if the Basic/Consumption SKU is used for resources that need to be monitored, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Resource Graph Explorer blade at https://portal.azure.com/#view/HubsExtension/ArgQueryBlade.

03 On the Azure Resource Graph Explorer page, select the subscription that you want to examine from the Scope filter box and choose Apply.

04 Select New query, paste the following query in the query box: Resources | where sku contains 'Basic' or sku contains 'Consumption' | order by type, and choose Run query.

05 Choose the Results tab and select On next to Formatted results.

06 Click on the name (link) of the the Azure resource that you want to examine, with the SKU set to Basic or Consumption.

07 Select Overview from the blade menu and evaluate the selected artifact in order to determine if the cloud resource is used in production or needs to be monitored. If the selected Azure cloud resource is being monitored or is used in production, you must upgrade the resource's SKU from Basic/Consumption to Standard.

08 Repeat steps no. 6 and 7 for each resource (artifact) with the Basic/Consumption SKU, provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Run graph query command (Windows/macOS/Linux) to describe the configuration information for each Azure cloud resource with the SKU set to Basic or Consumption, available within the selected Azure subscription: 

az graph query 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd 
  -q "Resources | where sku contains 'Basic' or sku contains 'consumption' | order by type"

02 Type Y and press Enter to install the resource-graph extension: 

The command requires the extension resource-graph. Do you want to install it now? The command will continue to run after the extension is installed. (Y/n): Y

03 The command output should return the requested configuration information: 

{
	"count": 1,
	"data": [
		{
			"extendedLocation": null,
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-production-server-ip",
			"identity": null,
			"kind": "",
			"location": "westeurope",
			"managedBy": "",
			"name": "cc-production-server-ip",
			"plan": null,
			"properties": {
				"idleTimeoutInMinutes": 4,
				"ipAddress": "51.144.182.92",
				"ipTags": [],
				"provisioningState": "Succeeded",
				"publicIPAddressVersion": "IPv4",
				"publicIPAllocationMethod": "Static",
				"resourceGuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
			},
			"resourceGroup": "cloud-shell-storage-westeurope",
			"sku": {
				"name": "Basic",
				"tier": "Regional"
			},
			"subscriptionId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"tags": {},
			"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"type": "microsoft.network/publicipaddresses",
			"zones": null
		}
	],
	"skip_token": null,
	"total_records": 1
}

Evaluate each artifact (object) returned by the graph query command output in order to determine if the verified cloud resource is used in production or needs to be monitored. If the selected Azure cloud resource is being monitored or is used in production, you must upgrade the resource's SKU from Basic/Consumption to Standard.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To upgrade the SKU for each Azure cloud resource used in production from Basic/Consumption SKU to Standard SKU, perform the following actions:

Each Azure cloud resource has its own process for upgrading from Basic/Consumption to Standard SKU. As an example, this section demonstrates how to upgrade the SKU for a public IP address used in production.

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Public IP Addresses blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FPublicIpAddresses.

03 On the Public IP addresses page, select the subscription that you want to examine from the Subscription filter box and choose Apply.

04 Click on the name (link) of the public IP address that you want to upgrade.

05 Select Overview from the resource menu and click on the following link: Upgrade to Standard SKU - Microsoft recommends Standard SKU public IP address for production workloads to upgrade the selected IP address to the Standard SKU.

06 In the Upgrade to Standard SKU confirmation box, select the I acknowledge checkbox and choose Yes to confirm the upgrade to Standard SKU.

07 Repeat steps no. 4 - 6 for each public IP address that you want to upgrade, available in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Run network public-ip update command (Windows/macOS/Linux) to upgrade the SKU from Basic/Consumption to Standard for the specified public IP address: 

az network public-ip update 
  --name cc-production-server-ip 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd 
  --resource-group cloud-shell-storage-westeurope 
  --sku Standard

02 The command output should return the configuration information available for the modified resource (artifact): 

{
	"ddosSettings": {
		"protectionMode": "VirtualNetworkInherited"
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-production-server-ip",
	"idleTimeoutInMinutes": 4,
	"ipAddress": "xxx.xxx.xxx.xxx",
	"ipTags": [],
	"location": "westeurope",
	"name": "cc-production-server-ip",
	"provisioningState": "Succeeded",
	"publicIPAddressVersion": "IPv4",
	"publicIPAllocationMethod": "Static",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceGuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"sku": {
		"name": "Standard",
		"tier": "Regional"
	},
	"tags": {},
	"type": "Microsoft.Network/publicIPAddresses"
}

03 Repeat steps no. 1 and 2 for each public IP address that you want to upgrade, available within the selected Azure subscription.

04 Repeat steps no. 1 - 3 for each Microsoft Azure subscription created in your cloud account.

References

Publication date Feb 3, 2020

Related Subscriptions rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Basic/Consumption SKU Should not be Used in Production

Risk Level: Medium