Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Empty Virtual Machine Scale Sets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VirtualMachines-025

Identify any empty virtual machine scale sets available within your Microsoft Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to unused resources. A Microsoft Azure virtual machine scale set is considered empty when it doesn't have any VM instances attached anymore and is no longer associated with a load balancer.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Cost
optimisation

In order to adhere to Azure cloud best practices and achieve regulatory compliance, every empty virtual machine scale set should be removed for cost optimization and better management of your cloud resources.

Audit

To identify empty Microsoft Azure virtual machine scale sets, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, perform the following:

  1. Select Instances to view the list of virtual machine (VM) instances running within the selected VM scale set. If there are no instances listed on this page, the selected Azure virtual machine scale set does not have any VM instances attached anymore.
  2. Choose Networking and select the Load balancing tab to access the load balancer linked to the selected scale set. If there is no load balancer listed on the Load balancing panel, the selected Azure virtual machine scale set is not associated with an active load balancer.

07 If both conditions are met, i.e. there are no VM instances and load balancers attached to the scale set, the selected Microsoft Azure virtual machine scale set is considered empty and can be safely removed from your cloud account.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription: 

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers: 

Name                    ResourceGroup
---------------------   ------------------------------
cc-frontend-scale-set   cloud-shell-storage-westeurope
cc-backend-scale-set    cloud-shell-storage-westeurope

05 Run vmss list-instances command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to list the IDs of the virtual machine (VM) instances running within the selected scale set: 

az vmss list-instances
	--name cc-frontend-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query '[*].id'

06 The command output should return the requested instance identifiers (IDs): 

[]

If the vmss list-instances command output returns an empty array, as shown in the example above, the selected Azure virtual machine scale set does not have any VM instances currently attached.

07 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to describe the ID of the load balancer backend pool associated with the selected VM scale set: 

az vmss show
	--name cc-frontend-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query 'virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].loadBalancerBackendAddressPools[*].id | []'

08 The command output should return the requested backend pool identifier: 

[]

If the vmss show command output returns an empty array, i.e. [], the selected Azure virtual machine scale set is not linked to an active load balancer.

09 If both conditions are met, i.e. there are no VM instances and load balancers associated with the scale set, the selected Microsoft Azure virtual machine scale set is considered empty and can be safely removed from your cloud account.

10 Repeat steps no. 5 – 9 for each Azure virtual machine scale set deployed in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To remove empty Microsoft Azure virtual machine scale sets from your Azure cloud account, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the virtual machine scale sets deployed in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to remove.

06 In the navigation panel, select Overview, and click Delete to initiate the resource removal.

07 In the Delete virtual machine scale set confirmation box, click Yes to confirm the virtual machines scale set removal.

08 Repeat steps no. 5 – 7 to delete other empty Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss delete command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to delete as identifier parameter, to remove the selected Microsoft Azure virtual machine scale set from your Azure cloud account (the command does not produce an output): 

az vmss delete
	--name cc-frontend-scale-set
	--resource-group cloud-shell-storage-westeurope

02 Repeat step no. 1 to remove other empty Azure virtual machine scale set deployed in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 26, 2020

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Empty Virtual Machine Scale Sets

Risk Level: Low