Best practice rules for Virtual Machines
- Apply Latest OS Patches
Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied.
- Approved Azure Machine Image in Use
Ensure that all your Azure virtual machine instances are launched from approved machine images only.
- Azure Disk Encryption for Boot Disk Volumes
Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest.
- Azure Disk Encryption for Non-Boot Disk Volumes
Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes.
- Azure Disk Encryption for Unattached Disk Volumes
Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes.
- Check for Associated Load Balancers
Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution.
- Check for Desired VM SKU Size(s)
Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2).
- Check for Empty Virtual Machine Scale Sets
Identify and remove empty virtual machine scale sets from your Azure cloud account.
- Check for SSH Authentication Type
Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys.
- Check for Sufficient Daily Backup Retention Period
Ensure there is a sufficient daily backup retention period configured for Azure virtual machines.
- Check for Sufficient Instant Restore Retention Period
Ensure there is a sufficient instant restore retention period configured for Azure virtual machines.
- Check for Unused Load Balancers
Identify and remove unused load balancers from your Microsoft Azure cloud account.
- Check for Zone-Redundant Virtual Machine Scale Sets
Ensure that Azure virtual machine scale sets are configured for zone redundancy.
- Disable Premium SSD
Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs.
- Disable Public IP Address Assignment for VMSS Instances
Avoid assigning public IP addresses to individual instances within your virtual machine scale set.
- Disable Public IP Address Assignment for Virtual Machine Scale Sets
Ensure that Azure virtual machine scale sets don't assign public IP addresses.
- Enable Accelerated Networking for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use accelerated networking.
- Enable Auto-Shutdown
Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis.
- Enable Automatic Instance Repairs
Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs
- Enable Automatic OS Upgrades
Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets.
- Enable Autoscale Notifications
Ensure that autoscale notifications are enabled for Azure virtual machine scale sets.
- Enable Backups for Azure Virtual Machines
Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs).
- Enable Encryption for App-Tier Disk Volumes
Ensure that Azure virtual machine disk volumes created for the app tier are encrypted.
- Enable Encryption for Web-Tier Disk Volumes
Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted.
- Enable Guest-Level Diagnostics for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring.
- Enable Instance Termination Notifications for Virtual Machine Scale Sets
Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets.
- Enable Just-In-Time Access for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access.
- Enable MFA for Privileged Identities with Access to Virtual Machines
Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.
- Enable Performance Diagnostics for Azure Virtual Machines
Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool.
- Enable System-Assigned Managed Identities
Ensure that Azure virtual machines are configured to use system-assigned managed identities.
- Enable Trusted Launch for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use the Trusted Launch feature.
- Enable Virtual Machine Access using Microsoft Entra ID Authentication
Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication.
- Enable Virtual Machine Boot Diagnostics
Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature.
- Enable and Configure Health Monitoring
Ensure that the health of your Microsoft Azure scale set instances is being monitored.
- Install Approved Extensions Only
Ensure that only approved extensions are installed on your Microsoft Azure virtual machines.
- Install Endpoint Protection
Ensure that endpoint protection is installed on your Microsoft Azure virtual machines.
- Remove Old Virtual Machine Disk Snapshots
Identify and remove old virtual machine disk snapshots in order to optimize cloud costs.
- Remove Unattached Virtual Machine Disk Volumes
Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs
- Server Side Encryption for Boot Disk using CMK
Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).
- Server Side Encryption for Non-Boot Disk using CMK
Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs).
- Server Side Encryption for Unattached Disk using CMK
Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs).
- Use BYOK for Disk Volumes Encryption
Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption.
- Use Customer Managed Keys for Virtual Hard Disk Encryption
Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes.
- Use Managed Disk Volumes for Virtual Machines
Ensure that your Microsoft Azure virtual machines are using managed disk volumes.