Governance Policies Azure Compute VMSS - Azure/az-prototype GitHub Wiki
Governance policies for Vmss
Domain: azure-compute
| Name | Description |
|---|---|
| VMSS Flexible with autoscale and encryption | Zone-redundant VMSS with Flexible orchestration, CMK encryption, and autoscale |
| Description | Instead |
|---|---|
| Do not use Uniform orchestration for new VMSS deployments | Use Flexible orchestration mode for better availability and flexibility |
| Do not use password authentication for Linux VMSS instances | Use SSH key authentication with disablePasswordAuthentication: true |
| Check | Severity | Description |
|---|---|---|
| AZ-VMSS-001 | Required | Deploy VMSS with Flexible orchestration mode, managed identity, and zone distribution |
| AZ-VMSS-002 | Required | Enable encryption at host for VMSS instances |
| AZ-VMSS-003 | Required | Configure autoscale rules based on relevant metrics |
| AZ-VMSS-004 | Recommended | Enable automatic OS upgrades and automatic instance repairs |
Deploy VMSS with Flexible orchestration mode, managed identity, and zone distribution
Severity: Required
Rationale: Flexible mode is the recommended orchestration; Uniform is legacy. Managed identity eliminates credential management
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/virtualMachineScaleSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-vmss | Network security group applied to VMSS network interface configurations |
| Microsoft.Network/loadBalancers | lb-vmss | Standard load balancer for distributing traffic across VMSS instances |
| Microsoft.Compute/diskEncryptionSets | des-cmk | Disk Encryption Set with customer-managed key for VMSS OS and data disks |
| Microsoft.Insights/diagnosticSettings | diag-vmss | Diagnostic settings for VMSS instance metrics and boot diagnostics |
| Microsoft.Insights/autoscaleSettings | autoscale-vmss | Autoscale rules for CPU-based scale-out and scale-in of VMSS instances |
Enable encryption at host for VMSS instances
Severity: Required
Rationale: Encryption at host ensures temp disks, caches, and data-in-transit to storage are encrypted
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Compute/virtualMachineScaleSets
Configure autoscale rules based on relevant metrics
Severity: Required
Rationale: Without autoscale, VMSS requires manual capacity management and cannot respond to load changes
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/virtualMachineScaleSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Compute/virtualMachineScaleSets | vmss-target | Target VMSS that autoscale settings apply to |
Enable automatic OS upgrades and automatic instance repairs
Severity: Recommended
Rationale: Automatic upgrades keep instances patched; automatic repairs replace unhealthy instances
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/virtualMachineScaleSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/loadBalancers/probes | health-probe | Load balancer health probe providing health signal for automatic instance repairs |