Enable and Configure Health Monitoring

Risk level: Medium (should be achieved)

Rule ID: VirtualMachines-033

Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Reliability

Performance
efficiency

By monitoring application health for your Microsoft Azure virtual machine scale sets, you can increase the reliability and availability of the applications deployed within these scale sets.

Audit

To determine if Monitor Application Health feature is enabled for your Azure virtual machine scale sets, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, select Health and repair to access the health monitoring configuration settings available for the selected VM scale set.

07 On the Health and repair page, check the Monitor application health configuration setting status. If the setting status is set to Disabled, the application health monitoring is not enabled for the selected Microsoft Azure virtual machine scale set.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set provisioned in the selected Azure subscription:

az vmss list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers:

Name                    ResourceGroup
---------------------   ------------------------------
cc-project5-scale-set   cloud-shell-storage-westeurope
cc-frontend-scale-set   cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter and custom query filters, to list the name of each virtual machine extension installed for the selected scale set:

az vmss show
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query 'virtualMachineProfile.extensionProfile.extensions[*].name'

06 The command output should return the requested VM extension name(s):

[
  "AzureNetworkWatcherExtension",
  "CustomScript"
]

Check the VM extension names list returned by the vmss show command output. If the list does not contain the Application Health extension name, i.e. "ApplicationHealthLinux" (when the extension is enabled programmatically) or "healthRepairExtension" (when the extension is enabled using Azure Portal), the application health monitoring (powered by Application Health extension) is not enabled for the selected Microsoft Azure virtual machine scale set.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure application health monitoring for your Microsoft Azure virtual machine scale sets using Application Health extension, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the virtual machine scale sets deployed in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to reconfigure.

06 In the navigation panel, under Settings, select Health and repair to access the health monitoring configuration settings available for the selected scale set.

07 On the Health and repair page, perform the following:

Select Enabled under Monitor application health to enable application health monitoring for the selected virtual machine scale set.
Choose Application Health extension from the Application health monitor dropdown list to monitor application health using the Application Health VM extension.
From Protocol dropdown list, choose the network protocol used by your application to report health. Select the appropriate protocol based on your application requirements. Protocol options are HTTP, HTTPS or TCP.
In the Port number configuration box, type the network port used to monitor application health.
For Path, provide the application endpoint path (e.g. "/") used to report application health.
In the Automatic repair policy section, choose whether to configure automatic repairs for the selected scale set. Automatic repairs can be used to delete unhealthy instances from the scale set and create new ones to replace them.
Click Save to apply the configuration changes and install the Application Health extension.

08 Repeat steps no. 5 – 7 to enable application health monitoring for other Azure virtual machine scale set created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss extension set command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to reconfigure as identifier parameter, to enable application health monitoring for the selected VM scale set by installing and configuring the Application Health extension. The following command request example configures application health monitoring for a scale set named "cc-project5-scale-set", using HTTP port 80 with the endpoint path set to "/" (i.e. the health check URL to probe) to monitor application health:

az vmss extension set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--name ApplicationHealthLinux
	--publisher Microsoft.ManagedServices
	--version 1.0
	--vmss-name cc-project5-scale-set
	--resource-group cloud-shell-storage-westeurope
	--settings '{"port": 80, "protocol": "http", "requestPath": "/"}'
	--query 'virtualMachineProfile.extensionProfile.extensions[*]'

02 The command output should return the metadata available for the VM extensions installed on the selected scale set (including the Application Health extension):

[
  {
    "autoUpgradeMinorVersion": true,
    "forceUpdateTag": null,
    "id": null,
    "name": "ApplicationHealthLinux",
    "protectedSettings": null,
    "provisionAfterExtensions": null,
    "provisioningState": null,
    "publisher": "Microsoft.ManagedServices",
    "settings": {
      "port": 80,
      "protocol": "http",
      "requestPath": "/"
    },
    "type": null,
    "type1": "ApplicationHealthLinux",
    "typeHandlerVersion": "1.0"
  },
  {
    "autoUpgradeMinorVersion": true,
    "forceUpdateTag": null,
    "id": null,
    "name": "AzureNetworkWatcherExtension",
    "protectedSettings": null,
    "provisionAfterExtensions": null,
    "provisioningState": null,
    "publisher": "Microsoft.Azure.NetworkWatcher",
    "settings": {},
    "type": null,
    "type1": "NetworkWatcherAgentLinux",
    "typeHandlerVersion": "1.4"
  }
]

03 Repeat step no. 1 and 2 to enable application health monitoring for other Azure virtual machine scale set deployed in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
What are virtual machine scale sets?
Using Application Health extension with virtual machine scale sets

Azure Command Line Interface (CLI) Documentation
az account
az vmss
az vmss show
az vmss extension

Publication date Jul 9, 2020

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Enable and Configure Health Monitoring

Risk level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related VirtualMachines rules