More Info:

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect your Azure scale sets from datacenter-level failures.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, NIST, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure:
  1. Log in to the Azure portal (https://portal.azure.com).
  2. Navigate to the Virtual Machine Scale Sets resource that needs to be remediated.
  3. In the left-hand menu, select “Settings” and then select “Properties”.
  4. In the “Properties” pane, scroll down to the “Availability” section.
  5. In the “Availability” section, check if “Zone Redundancy” is set to “Enabled”. If it is enabled, then the Scale Set is configured to use Zone-Redundant Virtual Machines.
  6. To remediate this misconfiguration, disable the “Zone Redundancy” option by toggling the switch to “Disabled”.
  7. Once the “Zone Redundancy” option is disabled, click on the “Save” button at the top of the “Properties” pane to save the changes.
Congratulations! You have successfully remediated the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure.

To remediate the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI in your terminal or command prompt.
  2. Login to your Azure account using the following command: 
    az login
  3. Once you are logged in, set the subscription to the one where the affected Virtual Machine Scale Set is located using the following command: 
    az account set --subscription <subscription_id>
  4. Check the current configuration of the Virtual Machine Scale Set using the following command: 
    az vmss show --name <vmss_name> --resource-group <resource_group_name>
  5. If the Virtual Machine Scale Set is configured for Zone-Redundancy, you can remediate it by disabling the Zone-Redundant deployment using the following command: 
    az vmss update --name <vmss_name> --resource-group <resource_group_name> --set singlePlacementGroup=false
  6. Once the command executes successfully, the Virtual Machine Scale Set will be updated to disable the Zone-Redundant deployment.
  7. Verify the updated configuration of the Virtual Machine Scale Set using the following command: 
    az vmss show --name <vmss_name> --resource-group <resource_group_name>
  8. You have now successfully remediated the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Azure CLI.
To remediate the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Python, follow these steps:
  1. Import the necessary modules:
from azure.mgmt.compute import ComputeManagementClient
from azure.identity import DefaultAzureCredential
  1. Instantiate the ComputeManagementClient and DefaultAzureCredential objects:
credential = DefaultAzureCredential()
compute_client = ComputeManagementClient(credential, subscription_id)
  1. Use the list method of the compute_client.virtual_machine_scale_sets object to get a list of all Virtual Machine Scale Sets in the subscription:
vmss_list = compute_client.virtual_machine_scale_sets.list()
  1. For each Virtual Machine Scale Set in the list, check if it is configured to use Zone-Redundant deployment by checking the zones property:
for vmss in vmss_list:
    if vmss.zones is not None:
        # Zone-Redundant deployment is enabled
        # Remediation steps go here
  1. To remediate the issue, update the Virtual Machine Scale Set to use a non-Zone-Redundant deployment by setting the zones property to None:
vmss.zones = None
compute_client.virtual_machine_scale_sets.create_or_update(resource_group_name, vmss_name, vmss)
  1. Repeat steps 4 and 5 for all Virtual Machine Scale Sets that have Zone-Redundant deployment enabled.
Note: Make sure to replace the subscription_id, resource_group_name, and vmss_name variables with the appropriate values for your Azure environment. Also, ensure that you have the necessary permissions to modify Virtual Machine Scale Sets in your subscription.