Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Associated Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-028

Ensure that each Microsoft Azure virtual machine scale set is integrated with a load balancer in order to distribute incoming traffic among healthy virtual machine instances running within the scale set. Azure load balancer is a layer 4 load balancer that provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP web applications.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Integrating Microsoft Azure virtual machine scale sets with Azure load balancers can help you provide high availability for your web applications and improve application performance through scaling.


Audit

To determine if your virtual machine scale sets are using load balancers for optimal scaling and high availability, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, choose Networking and select the Load balancing tab to view the load balancer attached to the selected scale set. If there is no load balancer listed on the Load balancing panel, the selected Azure virtual machine scale set is not associated with a Microsoft Azure load balancer.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set available in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-web-prod-scale-set   cloud-shell-storage-westeurope
cc-project5-scale-set   cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to describe the ID of the load balancer backend pool associated with the selected VM scale set:

az vmss show
	--name cc-web-prod-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query 'virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].loadBalancerBackendAddressPools[*].id | []'

06 The command output should return the requested backend pool identifier:

[]

If the vmss show command output returns an empty array, as shown in the example above, the selected Azure virtual machine scale set is not associated with an Azure load balancer.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To create, configure, and attach load balancers to your Microsoft Azure virtual machine scale sets, perform the following operations:

Note: Attaching a load balancer to an existing Azure virtual machine scale set using Azure Command Line Interface (CLI) is not currently supported.

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to Load balancers blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FLoadBalancers.

03 Click on the Add button available in the blade top menu to initiate the load balancer setup process.

04 On the Create load balancer page, perform the following actions:

  1. In the Project details section, use the Subscription and Resource group controls to choose the Azure subscription and the resource group where you want to deploy your new load balancer (must match the resource group of the scale set that you want to reconfigure).
  2. In the Instance details section, provide the following details:
    • In the Name box, provide a unique name for the load balancer.
    • Select the appropriate Azure region from the Region dropdown list (must match the scale set region).
    • For Type, select Public to create a public load balancer. Public load balancers can balance traffic originating from public IP addresses.
    • For SKU, select Standard to create a standard load balancer. A standard load balancer can balance up to 1000 instances, has greater backend pool flexibility, HA ports, and zonal and zone-redundant scenarios. Microsoft recommends standard load balancers for production workloads.
  3. When you create a public Azure load balancer, you must also create a new public IP address that is configured as frontend for the load balancer. In the Public IP address section, perform the following:
    • For Public IP address, select Create new to create a new frontend IP configuration.
    • In the Public IP address name box, provide a name for the new IP address.
    • (Optional) You can assign a public IPv6 address in addition to the public IPv4 address to the load balancer by using the configuration controls available for the Add a public IPv6 address setting. The load balancing rules may be different for IPv4 and IPv6 traffic.
  4. Click Next: Tags > to continue the setup.
  5. Create a tag set for your new load balancer using the Name and Value fields. Tag sets are name/value pairs that enables you to categorize Azure resources and view consolidated billing by applying the same tag to multiple resources and resource groups.
  6. Click Next: Review + create > to validate the load balancer configuration.
  7. Once the validation is passed, click Create to deploy your new Azure load balancer.

05 Click on name of the newly created Microsoft Azure load balancer.

06 Under Settings, select Backend pools, then click Add to create the backend pool required to distribute traffic to the virtual machines within the scale set.

07 On the Add backend pool page, perform the following:

  1. In the Name box, provide a unique name for the new backend pool.
  2. Select the appropriate Azure virtual network from the Virtual network dropdown list (must match the virtual network of the scale set that you want to reconfigure).
  3. For IP version, select IPv4 to use an IPv4 address.
  4. In the Virtual machine scale sets configuration section, use the Virtual machine scale set and IP address controls to select the VM scale set that you want to reconfigure, and the associated IPv4 configuration.
  5. Click Add to create the new backend pool and associate the load balancer with the specified scale set. The newly created backend pool is now added to the virtual machine scale set.

08 To allow the new load balancer to monitor virtual (VM) machine instances status, you can configure a health probe. The health probe dynamically adds or removes VMs from the load balancer rotation based on their response to health checks. Under Settings, select Health probes, then click Add to create the required health probe.

09 On the Add health probe page, perform the following:

  1. In the Name box, enter a name for the load balancer health probe.
  2. From the Protocol dropdown list, choose the network protocol required to report instance health. Select the appropriate protocol based on your requirements. Protocol options are TCP, HTTP or HTTPS.
  3. In the Port configuration box, type the network port used to monitor virtual machines health.
  4. In the Interval box, provide the amount of time in seconds between probe attempts.
  5. For Unhealthy threshold, provide the number of consecutive probe failures that must occur before a virtual machine is considered unhealthy.
  6. Click OK to create the load balancer health probe.

10 Once the health probe is active, continue the setup process with creating load balancer rules. A load balancer rule defines how traffic is distributed to the virtual machines (VMs). The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the necessary ports for source and destination. Under Settings, select Load balancer rules, then click Add to create a new rule.

11 On the Add load balancing rule page, perform the following:

  1. In the Name box, provide a name for the new load balancer rule.
  2. For IP Version, choose IPv4.
  3. From Frontend IP address dropdown list, select the public IP address configured as frontend IP (named LoadBalancerFrontEnd by default) that you have created together with your public load balancer.
  4. For Protocol select TCP as network protocol.
  5. For Port use port 80 (TCP).
  6. For Backend port use port 80 (TCP). You can also choose to route traffic to the virtual machines in the backend pool using a different port than the one web clients use to communicate with the load balancer.
  7. Select the backend pool created at the previous steps from the Backend pool dropdown list.
  8. Choose the newly created health probe from the Health probe dropdown list. The selected probe is used by this rule to determine which VMs available in the backend pool are healthy and can receive load balanced traffic.
  9. Select the optimal session persistence option from the Session persistence dropdown list based on your requirements. This setting specifies how the traffic from a web client should be handled by the same virtual machine (VM) in the backend pool for the duration of a session. The None option specifies that successive requests from the same client may be handled by any VM. The Client IP option specifies that successive requests from the same client IP address will be handled by the same VM. The Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.
  10. Use the Idle timeout (minutes) control to specify how much time (in minutes) is needed to keep a TCP/HTTP connection open without relying on clients to send keep-alive messages.
  11. Make sure that TCP reset is set to Disabled.
  12. Set Floating IP (direct server return) to Disabled. Microsoft Azure recommends using this setting only when configuring a SQL AlwaysOn Availability Group Listener and SQL Failover Clustered Instance (FCI) IP Address. This setting can be enabled during rule creation only, if the port and backend port match.
  13. For Create implicit outbound rules select Yes to configure outbound SNAT for the VM instances within the backend pool to use the public IP address specified for the frontend.
  14. Click OK to create the new load balancer rule.

12 To determine if your Azure load balancer delivers traffic across all VM instances within the associated virtual machine scale set, use the public IP address (frontend IP) to test the traffic distribution.

13 Repeat steps no. 3 – 12 to implement load balancers for other Azure virtual machine scale sets available in the selected subscription.

14 Repeat steps no. 3 – 13 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jul 8, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Associated Load Balancers

Risk Level: Medium