Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Premium SSD

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-010

Ensure that your Microsoft Azure virtual machines (VMs) are using Standard SSD disk volumes instead of Premium SSD volumes for cost-effective storage that fits a broad range of workloads from web servers to enterprise applications that need consistent performance at lower IOPS levels. Unless you are running mission-critical applications or performance sensitive workloads that need more than 6000 IOPS or 750 MiB/s of throughput per VM disk volume, Cloud Conformity recommends converting your Premium SSD volumes to Standard SSD in order to lower the cost of your Azure monthly bill.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Cost
optimisation

Replacing Premium SSD disk volumes with Standard SSD volumes for your Microsoft Azure virtual machines represents an efficient strategy for cutting down VM storage costs while maintaining a good I/O performance.

Audit

To determine if your Azure virtual machines are using Premium SSD disk volumes, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show only the virtual machines (VMs) available in the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected Azure VM.

07 On the Disks overview page, under OS disk and Data disks, check the disk storage type, available in the Storage account type column, for each volume attached. If the disk storage type is set to Premium SSD, the selected Microsoft Azure virtual machine is using Premium SSD OS/data disk volume(s).

08 Repeat steps no. 4 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned in the current Azure subscription: 

az vm list
    --query '[*].id'

02 The command output should return the requested virtual machine identifiers (IDs): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-server"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the virtual machine that you want to examine as identifier parameter to describe the disk storage type configured for the OS and data disk volumes attached to the selected Azure VM: 

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
    --query 'storageProfile.{"osDiskStorageType":osDisk.managedDisk.storageAccountType,"dataDiskStorageType":dataDisks[*].managedDisk.storageAccountType}'

04 The command output should return the storage type for each VM disk volume attached: 

{
  "osDiskStorageType": "Premium_LRS",
  "dataDiskStorageType": [
     "Premium_LRS"
  ]
}

If the vm show command output returns "Premium_LRS" as the value for the "osDiskStorageType" and/or "dataDiskStorageType" configuration attributes, the selected Microsoft Azure virtual machine is using Premium SSD OS/data disk volume(s).

05 Repeat step no. 3 and 4 for every Azure virtual machine (VM) available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To change the storage type configured for your Azure virtual machine disk volumes from Premium SSD to cost-effective Standard SSD, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show the virtual machines (VMs) available in the selected subscription.

05 Click on the name of the virtual machine that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, select Overview, then click the Stop button from the panel top menu to stop (shutdown) the selected virtual machine. Click Yes to confirm the action.

07 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the virtual machine.

08 On the Disks page, under OS disk and Data disks, click on the OS/data disk volume with the storage account type set to Premium SSD, to access the configuration settings for the selected volume.

09 In the navigation panel, under Settings, select Configuration to access the disk volume storage type configuration.

10 On the Configuration page, select Standard SSD from the Account type dropdown list to change the storage type for the selected disk volume to Standard SSD. Click Save to apply the configuration changes.

11 Repeat steps no. 8 – 10 for each disk volume with the Premium SSD storage type, attached to the selected Azure VM.

12 Go back to your Azure virtual machine, select Overview option from the navigation panel, then click the Start button to restart the selected virtual machine.

13 Repeat steps no. 5 – 12 for each Azure virtual machine available in the selected subscription.

14 Repeat steps no. 3 – 13 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Run vm deallocate command (Windows/macOS/Linux) to deallocate (shutdown) the Azure virtual machine that you want to reconfigure – see Audit section part II to identify the right resource (the command does not produce an output): 

az vm deallocate
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"

02 Run disk update command (Windows/macOS/Linux) using the ID of the virtual machine disk volume that you want to reconfigure as identifier parameter to change the storage type configured for the selected volume from Premium SSD to Standard SSD. Repeat this step for each disk volume with the Premium SSD storage type, attached to the selected Azure virtual machine: 

az disk update
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-data-disk1"
    --sku StandardSSD_LRS

03 The command output should return the metadata for the reconfigured disk volume: 

{
  "diskIopsReadWrite": 120,
  "diskMbpsReadWrite": 25,
  "diskSizeBytes": 5368709120,
  "diskSizeGb": 5,
  "diskState": "Reserved",
  "encryptionSettingsCollection": null,
  "hyperVgeneration": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-data-disk1",
  "location": "westeurope",
  "managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server",
  "name": "cc-data-disk1",
  "osType": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
  "sku": {
    "name": "StandardSSD_LRS",
    "tier": "Standard"
  },
  "tags": {},
  "timeCreated": "2019-10-31T16:37:05.571189+00:00",
  "type": "Microsoft.Compute/disks",
  "uniqueId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "zones": null
}

04 Run vm start command (Windows/macOS/Linux) to restart the selected Microsoft Azure virtual machine (the command does not produce an output): 

az vm start
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"

05 Repeat steps no. 1 – 4 for each virtual machine provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Disable Premium SSD

Risk Level: High