Check for Zone-Redundant Virtual Machine Scale Sets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VirtualMachines-027

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect your Azure scale sets from datacenter-level failures.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When you deploy a virtual machine scale set, you can choose to use a single Availability Zone or multiple Availability Zones (AZs). A zone-redundant virtual machine scale set represents a single scale set that spans multiple AZs. As virtual machine instances are created within the scale set, they are evenly balanced across AZs. This availability configuration helps to protect your applications and data from a zone failure or loss of an entire AZ. With zone-redundancy, one or more Availability Zones can fail and the data path survives as long as one AZ in the region remains healthy.


Audit

To determine the availability configuration of your Microsoft Azure VM scale sets, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, select Properties to view the configuration properties available for the selected VM scale set.

07 On the Properties page, check the number of Availability Zones (AZs) configured for the scale set, listed as value of the Availability zone property. If the selected Azure virtual machine scale set has only one Availability Zone listed, the scale set is using a single-zone availability configuration instead of a zone-redundant configuration.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-project5-scale-set   cloud-shell-storage-westeurope
cc-backend-scale-set    cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to describe the number of each Availability Zone (AZ) configured for the selected VM scale set:

az vmss show
	--name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query 'zones'

06 The command output should return the requested AZ information:

[
  "1"
]

If the vmss show command output returns just one Availability Zone, as shown in the example above, the selected Azure virtual machine scale set can launch instances within a single Availability Zone, therefore the VM scale set is using a single-zone availability configuration instead of a zone-redundant configuration.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable zone redundancy for your Microsoft Azure virtual machine scale sets you have to re-create the scale sets with a zone-redundant availability configuration by perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the virtual machine scale sets deployed in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to re-create and gather all the relevant configuration information available for the selected scale set.

06 Navigate to Virtual machine scale sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets.

07 Click on the Add button available in the blade top menu to initiate the VM scale set setup process.

08 On the Create a virtual machine scale set page, perform the following actions:

  1. In the Project details section, use the Subscription and Resource group controls to choose the Azure subscription and the resource group where you want to deploy your new virtual machine scale set (must match the resource group of the scale set that you want to re-create).
  2. In the Scale set details section, provide the following details:
    • In the Virtual machine scale set name box, provide a unique name for the scale set.
    • Select the appropriate Google Cloud region from the Region dropdown list (must match the region of the non-compliant scale set).
    • From Availability Zones dropdown list, select at least two Availability Zones in which to deploy your scale set. Ideally, a zone-redundant configuration should have all the supported Availability Zones (e.g. zones 1, 2 and 3) selected at this step.
  3. In the Instance details section, configure the size of the virtual machines (VMs) deployed to the scale set and choose the base operating system or application for these VMs, based on the configuration details collected at step no. 5.
  4. Within the Administrator account section, choose whether the administrator account will use a username and a password or SSH keys for authentication.
  5. Click Next : Disks > to configure the scale set disk options. Continue the virtual machine scale set setup process using the configuration information collected at step no. 5 until you reach the resource review step. Once the review is done and the validation has passed, click Create to create your new zone-redundant virtual machine scale set.

09 Migrate the necessary application data from the source (single-zone) virtual machine scale set to the destination (zone-redundant) Azure virtual machine scale set.

10 To remove the non-compliant scale set from your Azure cloud account in order to eliminate unnecessary costs, navigate back to the Virtual machine scale sets blade and click on the name of the VM scale set that you want to remove.

11 In the navigation panel, select Overview, and click Delete to initiate the resource removal.

12 Repeat step no. 4 – 6 to resize other Azure VM instances available in the selected subscription.

13 In the Delete virtual machine scale set confirmation box, click Yes to confirm the virtual machine scale set removal.

14 Repeat steps no. 5 – 13 to enable zone redundancy for other Azure virtual machine scale set created within the selected subscription.

15 Repeat steps no. 3 – 14 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to re-create as identifier parameter, to describe all the configuration information available for the selected VM scale set:

az vmss show
	--name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope

02 The command output should return the requested information:

{
  "location": "westeurope",
  "name": "cc-project5-scale-set",
  "overprovision": true,
  "platformFaultDomainCount": 5,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "singlePlacementGroup": false,
  "sku": {
    "capacity": 2,
    "name": "Standard_DS1_v2",
    "tier": "Standard"
  },
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "virtualMachineProfile": {
    "diagnosticsProfile": {
      "bootDiagnostics": {
        "enabled": true,
        "storageUri": "https://abcdabcd.blob.core.windows.net/"
      }
    }

    ...

    "storageProfile": {
      "imageReference": {
        "offer": "UbuntuServer",
        "publisher": "Canonical",
        "sku": "18.04-LTS",
        "version": "latest"
      },
      "osDisk": {
        "caching": "ReadWrite",
        "createOption": "FromImage",
        "diskSizeGb": 30,
        "managedDisk": {
          "diskEncryptionSet": null,
          "storageAccountType": "Premium_LRS"
        }
      }
    }
  },
  "zones": [
    "1"
  ]
}

03 Run vmss create command (Windows/macOS/Linux) using the configuration information of the virtual machine scale set that you want to re-create, returned at the previous step, as input for the vmss create command parameters, to create a new, zone-redundant Azure virtual machine scale set. To configure the new scale set for zone redundancy, add the names of the Availability Zones (i.e. 1, 2, and 3) to the --zones command parameter:

az vmss create
	--name cc-project5-new-scale-set
	--resource-group cloud-shell-storage-westeurope
	--image UbuntuLTS
	--vm-sku Standard_DS1_v2
	--instance-count 2
	--os-disk-size-gb 30
	--upgrade-policy-mode automatic
	--admin-username azureuser
	--generate-ssh-keys
	--zones 1 2 3

04 The command output should return the configuration metadata available for the new VM scale set:

{
  "location": "westeurope",
  "name": "cc-project5-new-scale-set",
  "overprovision": true,
  "platformFaultDomainCount": 5,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",

  ...

  "sku": {
    "capacity": 2,
    "name": "Standard_DS1_v2",
    "tier": "Standard"
  },
  "type": "Microsoft.Compute/virtualMachineScaleSets"
}

05 Migrate the necessary application data from the source (single-zone) virtual machine scale set to the destination (zone-redundant) Azure virtual machine scale set.

06 To remove the non-compliant VM scale set from your Azure cloud account in order to eliminate unnecessary costs, run vmss delete command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to delete as identifier parameter (the command does not produce an output):

az vmss delete
	--name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope

07 Repeat steps no. 1 – 6 to enable zone redundancy for other Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 8, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Zone-Redundant Virtual Machine Scale Sets

Risk level: High