Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Managed Disk Volumes for Virtual Machines

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-009

Ensure that your Microsoft Azure virtual machines (VMs) are configured to use managed disk volumes for reliable, efficient and simplified disk management. A managed disk is an abstraction of current Standard/Premium storage disk in Azure Storage. Managed disks provide granular access control with RBAC and better reliability for the virtual machines deployed within an Azure Availability Set.

The main benefits of using managed disk volumes for VMs are:

High availability (HA) - the managed disk volumes have a 99.99% SLA in all Availability Zones (AZs).

High fault tolerance - the managed disks provisioned within an Azure Availability Set are spread across multiple storage fault domains to protect against single points of failure.

High scalability - can be deployed up to 50,000 managed disk volumes per Azure subscription per region.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability
Performance
efficiency

For best performance, scalability, reliability and access control, Cloud Conformity recommends using Azure managed disk volumes for most virtual machine (VM) configurations. Azure unmanaged disk volumes should be used only to support rare scenarios or to manage disk VHDs within your own storage account.

Audit

To determine if your Azure virtual machines are using managed disk volumes, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the virtual machines (VMs) provisioned in your Azure account.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected VM.

07 On the Disks page, click on the name (link) of the volume that you want to examine.

08 On the selected disk volume page, check the name of the resource, listed on top of the page. If the resource name contains (unmanaged), the selected Azure virtual machine disk volume is not managed by Microsoft Azure.

09 Repeat step no. 7 and 8 for each disk volume attached to the selected virtual machine (VM).

10 Repeat steps no. 5 – 9 for every Azure virtual machine available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each Azure virtual machine (VM) provisioned within the current subscription: 

az vm list
    --query '[*].id'

02 The command output should return the requested virtual machine IDs: 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-webstore-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project9-vm"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the virtual machine that you want to examine as identifier parameter to get the ID(s) of managed disk volume(s) attached to the selected VM: 

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-webstore-vm"
    --query 'storageProfile.{"osDiskType":osDisk.managedDisk.id,"dataDiskType":dataDisks[*].managedDisk.id}'

04 The command output should return the ID of each managed disk volume attached: 

{
  "osDiskType": null,
  "dataDiskType": []
}

If the vm show command output returns null or [] instead of the resource ID, as the value for the "osDiskType" and/or "dataDiskType" configuration attributes, the selected Microsoft Azure virtual machine is not using managed OS/data disk volume(s).

05 Repeat step no. 3 and 4 for each Azure virtual machine (VM) available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To convert any unmanaged disk volumes attached to your Azure virtual machines to managed disk volumes, perform the following actions:

Note: The source unmanaged VM disks are not deleted after the migration to managed disks. The managed disks are created by making a copy of the source disks. The configuration of the selected Microsoft Azure virtual machines is not changed after the migration is completed.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines launched in your Azure cloud account.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected VM.

07 On the Disks page, click Migrate to managed disks button from the panel top menu to initiate the process.

08 On the Migrate to managed disks page, click Migrate to run the migration process. The selected Microsoft Azure virtual machine will be stopped and restarted after the migration is complete.

09 Repeat steps no. 5 – 8 for each Azure virtual machine that has unmanaged disk volumes attached, provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

Using Azure Console

01 Run vm deallocate command (Windows/macOS/Linux) to deallocate (i.e. shutdown) the Azure virtual machine that has unmanaged disk volumes – see Audit section part II to identify the right VM (the command does not produce an output): 

az vm deallocate
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-webstore-vm"

02 Run vm convert command (Windows/macOS/Linux) using the ID of the virtual machine (VM) that you want to reconfigure as identifier parameter, to convert the unmanaged disk volumes attached to the selected VM into managed disk volumes (the command does not return an output): 

az vm convert
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-webstore-vm"

03 Run vm start command (Windows/macOS/Linux) to restart the reconfigured Microsoft Azure virtual machine (the command does not produce an output): 

az vm start
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-webstore-vm"

04 Repeat steps no. 1 – 3 for each virtual machine that has unmanaged disk volumes attached, available in the selected subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use Managed Disk Volumes for Virtual Machines

Risk Level: Medium