VirtualMachines

Best practice rules for Virtual Machines

• Apply Latest OS Patches

  Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied.

• Approved Azure Machine Image in Use

  Ensure that all your Azure virtual machine instances are launched from approved machine images only.

• Azure Disk Encryption for Boot Disk Volumes

  Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest.

• Azure Disk Encryption for Non-Boot Disk Volumes

  Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes.

• Azure Disk Encryption for Unattached Disk Volumes

  Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes.

• Check for Associated Load Balancers

  Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution.

• Check for Desired VM SKU Size(s)

  Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2).

• Check for Empty Virtual Machine Scale Sets

  Identify and remove empty virtual machine scale sets from your Azure cloud account.

• Check for SSH Authentication Type

  Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys.

• Check for Sufficient Daily Backup Retention Period

  Ensure there is a sufficient daily backup retention period configured for Azure virtual machines.

• Check for Sufficient Instant Restore Retention Period

  Ensure there is a sufficient instant restore retention period configured for Azure virtual machines.

• Check for Unused Load Balancers

  Identify and remove unused load balancers from your Microsoft Azure cloud account.

• Check for Zone-Redundant Virtual Machine Scale Sets

  Ensure that Azure virtual machine scale sets are configured for zone redundancy.

• Disable Premium SSD

  Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs.

• Disable Public IP Address Assignment for VMSS Instances

  Avoid assigning public IP addresses to individual instances within your virtual machine scale set.

• Disable Public IP Address Assignment for Virtual Machine Scale Sets

  Ensure that Azure virtual machine scale sets don't assign public IP addresses.

• Disable Public Network Access to Virtual Machine Disks

  Ensure that public network access to Azure virtual machine disks is disabled.

• Enable Accelerated Networking for Virtual Machines

  Ensure that Microsoft Azure virtual machines are configured to use accelerated networking.

• Enable Auto-Shutdown

  Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis.

• Enable Automatic Instance Repairs

  Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs

• Enable Automatic OS Upgrades

  Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets.

• Enable Autoscale Notifications

  Ensure that autoscale notifications are enabled for Azure virtual machine scale sets.

• Enable Backups for Azure Virtual Machines

  Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs).

• Enable Data Access Authentication Mode

  Ensure that data access authentication mode is enabled for Azure virtual machine disks.

• Enable Encryption for App-Tier Disk Volumes

  Ensure that Azure virtual machine disk volumes created for the app tier are encrypted.

• Enable Encryption for Web-Tier Disk Volumes

  Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted.

• Enable Guest-Level Diagnostics for Virtual Machines

  Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring.

• Enable Instance Termination Notifications for Virtual Machine Scale Sets

  Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets.

• Enable Just-In-Time Access for Virtual Machines

  Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access.

• Enable MFA for Privileged Identities with Access to Virtual Machines

  Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.

• Enable Performance Diagnostics for Azure Virtual Machines

  Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool.

• Enable System-Assigned Managed Identities

  Ensure that Azure virtual machines are configured to use system-assigned managed identities.

• Enable Trusted Launch for Virtual Machines

  Ensure that Microsoft Azure virtual machines are configured to use the Trusted Launch feature.

• Enable Virtual Machine Access using Microsoft Entra ID Authentication

  Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication.

• Enable Virtual Machine Boot Diagnostics

  Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature.

• Enable and Configure Health Monitoring

  Ensure that the health of your Microsoft Azure scale set instances is being monitored.

• Install Approved Extensions Only

  Ensure that only approved extensions are installed on your Microsoft Azure virtual machines.

• Install Endpoint Protection

  Ensure that endpoint protection is installed on your Microsoft Azure virtual machines.

• Remove Old Virtual Machine Disk Snapshots

  Identify and remove old virtual machine disk snapshots in order to optimize cloud costs.

• Remove Unattached Virtual Machine Disk Volumes

  Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs

• Server Side Encryption for Boot Disk using CMK

  Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).

• Server Side Encryption for Non-Boot Disk using CMK

  Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs).

• Server Side Encryption for Unattached Disk using CMK

  Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs).

• Use BYOK for Disk Volumes Encryption

  Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption.

• Use Customer Managed Keys for Virtual Hard Disk Encryption

  Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes.

• Use Managed Disk Volumes for Virtual Machines

  Ensure that your Microsoft Azure virtual machines are using managed disk volumes.