Check for Zone-Redundant Virtual Machine Scale Sets

More Info:

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect your Azure scale sets from datacenter-level failures.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, NIST, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Azure CLI, follow these steps:

Open the Azure CLI in your terminal or command prompt.
Login to your Azure account using the following command:
```
az login
```
Once you are logged in, set the subscription to the one where the affected Virtual Machine Scale Set is located using the following command:
```
az account set --subscription <subscription_id>
```
Check the current configuration of the Virtual Machine Scale Set using the following command:
```
az vmss show --name <vmss_name> --resource-group <resource_group_name>
```
If the Virtual Machine Scale Set is configured for Zone-Redundancy, you can remediate it by disabling the Zone-Redundant deployment using the following command:
```
az vmss update --name <vmss_name> --resource-group <resource_group_name> --set singlePlacementGroup=false
```
Once the command executes successfully, the Virtual Machine Scale Set will be updated to disable the Zone-Redundant deployment.
Verify the updated configuration of the Virtual Machine Scale Set using the following command:
```
az vmss show --name <vmss_name> --resource-group <resource_group_name>
```
You have now successfully remediated the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Azure CLI.

Using Python

To remediate the Zone-Redundant Virtual Machine Scale Sets misconfiguration in Azure using Python, follow these steps:

Import the necessary modules:

from azure.mgmt.compute import ComputeManagementClient
from azure.identity import DefaultAzureCredential

Instantiate the ComputeManagementClient and DefaultAzureCredential objects:

credential = DefaultAzureCredential()
compute_client = ComputeManagementClient(credential, subscription_id)

Use the list method of the compute_client.virtual_machine_scale_sets object to get a list of all Virtual Machine Scale Sets in the subscription:

vmss_list = compute_client.virtual_machine_scale_sets.list()

For each Virtual Machine Scale Set in the list, check if it is configured to use Zone-Redundant deployment by checking the zones property:

for vmss in vmss_list:
    if vmss.zones is not None:
        # Zone-Redundant deployment is enabled
        # Remediation steps go here

To remediate the issue, update the Virtual Machine Scale Set to use a non-Zone-Redundant deployment by setting the zones property to None:

vmss.zones = None
compute_client.virtual_machine_scale_sets.create_or_update(resource_group_name, vmss_name, vmss)

Repeat steps 4 and 5 for all Virtual Machine Scale Sets that have Zone-Redundant deployment enabled.

Note: Make sure to replace the subscription_id, resource_group_name, and vmss_name variables with the appropriate values for your Azure environment. Also, ensure that you have the necessary permissions to modify Virtual Machine Scale Sets in your subscription.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Check for Zone-Redundant Virtual Machine Scale Sets

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation