Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Once the Instance Termination Notifications feature is enabled, virtual machine scale set instances don't need to wait for a specified timeout to expire before the instance is deleted. After receiving a "Terminate" event notification, the VM instance can choose to be deleted at any time before the termination timeout expires.
Audit
To determine if instance termination notifications are enabled for your Azure virtual machine scale sets, perform the following actions:
Note: Verifying Instance Termination Notifications feature status for your virtual machines scale sets using Azure Portal is not currently supported.Remediation / Resolution
To enable VM instance termination notifications for your Microsoft Azure virtual machine scale sets, perform the following actions:
Note: Enabling instance termination notifications for your virtual machines scale sets using Azure Portal is not currently supported.References
- Azure Official Documentation
- Virtual Machine Scale Sets
- What are virtual machine scale sets?
- Terminate notification for Azure virtual machine scale set instances
- Azure Command Line Interface (CLI) Documentation
- az account list
- az vmss list
- az vmss show
- az vmss update