fix: This PR resolves issues with AKS, VMSS and Load Balancers ARGs (#745)

rod-reis · Rodrigo Reis Santos (AZURE) · web-flow · commit ef9bc516674f · 2025-05-28T20:55:16.000+09:00
Co-authored-by: Rodrigo Reis Santos (AZURE) &lt;Rodrigo.REIS@microsoft.com&gt;
diff --git a/azure-resources/Compute/virtualMachineScaleSets/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql b/azure-resources/Compute/virtualMachineScaleSets/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql
@@ -0,0 +1,32 @@
+// Azure Resource Graph Query
+// Returns any AKS cluster nodepools that do not have Ephemeral Disks
+resources
+| where type == "microsoft.containerservice/managedclusters"
+| mv-expand agentPoolProfile = properties.agentPoolProfiles
+| extend
+    osDiskType         = tostring(agentPoolProfile.osDiskType),
+    nodePoolName       = tostring(agentPoolProfile.name),
+    nodeResourceGroup  = tostring(properties.nodeResourceGroup),
+    subscriptionId     = tostring(split(id, "/")[2])
+| where osDiskType != "Ephemeral" and isnotempty(nodeResourceGroup)
+| project
+    nodePoolName,
+    nodeResourceGroup,
+    subscriptionId
+| join kind=inner (
+    resources
+    | where type == "microsoft.compute/virtualmachinescalesets"
+    | extend
+        vmssName        = name,
+        vmssId          = id,
+        subscriptionId  = tostring(split(id, "/")[2]),
+        resourceGroup   = tostring(split(id, "/")[4])
+) on subscriptionId
+| where tolower(resourceGroup) == tolower(nodeResourceGroup)
+    and tolower(vmssName) contains tolower(nodePoolName)
+| project
+    recommendationId = "a7bfcc18-b0d8-4d37-81f3-8131ed8bead5",
+    name = vmssName,
+    id   = vmssId,
+    tags,
+    param1 = "osDiskType: Non-Ephemeral"
diff --git a/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml b/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml
@@ -151,3 +151,19 @@
     - name: Deprecated Azure Marketplace images
       url: "https://learn.microsoft.com/azure/virtual-machines/deprecated-images"
 
+- description: Use Ephemeral OS Disks for AKS VMSS Node Pools
+  aprlGuid: a7bfcc18-b0d8-4d37-81f3-8131ed8bead5
+  recommendationTypeId: null
+  recommendationControl: Scalability
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Compute/virtualMachineScaleSets
+  recommendationMetadataState: Active
+  longDescription: |
+    Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times.
+  potentialBenefits: Lower latency, faster re-imaging and booting
+  pgVerified: true
+  automationAvailable: true
+  tags: []
+  learnMoreLink:
+    - name: Ephemeral OS disk
+      url: "https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk"
diff --git a/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql b/azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql
@@ -6,4 +6,4 @@ resources
 | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))
 | extend nodePool = tostring(parse_json(agentPoolProfile.name))
 | where taints !has "CriticalAddonsOnly=true:NoSchedule" and  agentPoolProfile.minCount < 2
-| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", name=nodePool, id=strcat(id,"/agentPools/",nodePool), tags,param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)
+| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", name, id=id, tags,param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)
diff --git a/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql b/azure-resources/ContainerService/managedClusters/kql/a7bfcc18-b0d8-4d37-81f3-8131ed8bead5.kql
diff --git a/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql b/azure-resources/ContainerService/managedClusters/kql/f46b0d1d-56ef-4795-b98a-f6ee00cb341a.kql
@@ -1,7 +1,9 @@
 // Azure Resource Graph Query
-// Returns each AKS cluster with nodepools that have Linux nodepools not using Azure Linux
+// Returns each AKS cluster that has Linux node pools not using Azure Linux
 resources
-| where type == "microsoft.containerservice/managedclusters"
-| mv-expand agentPoolProfile = properties.agentPoolProfiles
-| where agentPoolProfile.osType == 'Linux' and agentPoolProfile.osSKU != 'AzureLinux'
-| project recommendationid="f46b0d1d-56ef-4795-b98a-f6ee00cb341a", name=agentPoolProfile.name, id=strcat(id,"/agentPools/",agentPoolProfile.name),tags, param1=strcat("nodePoolName: ", agentPoolProfile.name)
+  | where type == "microsoft.containerservice/managedclusters"
+  | mv-expand agentPoolProfile = properties.agentPoolProfiles
+  | where agentPoolProfile.osType == 'Linux' and agentPoolProfile.osSKU != 'AzureLinux'
+  | extend clusterId = id,clusterName = name,nodePoolName = tostring(agentPoolProfile.name)
+  | summarize nonAzureLinuxNodePools = make_list(strcat("nodePoolName: ", nodePoolName)),anyClusterName = any(clusterName),anyTags = any(tags) by clusterId
+  | project recommendationId = "f46b0d1d-56ef-4795-b98a-f6ee00cb341a",name = anyClusterName,id = clusterId,tags = anyTags,param1 = tostring(nonAzureLinuxNodePools)
diff --git a/azure-resources/ContainerService/managedClusters/recommendations.yaml b/azure-resources/ContainerService/managedClusters/recommendations.yaml
@@ -3,7 +3,7 @@
   recommendationTypeId: 9f3263db-b9c0-43bb-8523-6800f9f50793
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools
+  recommendationResourceType: Microsoft.ContainerService/managedClusters
   recommendationMetadataState: Active
   longDescription: |
     Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures.
@@ -202,23 +202,6 @@
     - name: Monitor AKS
       url: "https://learn.microsoft.com/azure/aks/monitor-aks"
 
-- description: Use Ephemeral OS disks on AKS clusters
-  aprlGuid: a7bfcc18-b0d8-4d37-81f3-8131ed8bead5
-  recommendationTypeId: null
-  recommendationControl: Scalability
-  recommendationImpact: Medium
-  recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools
-  recommendationMetadataState: Active
-  longDescription: |
-    Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times.
-  potentialBenefits: Lower latency, faster re-imaging and booting
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Ephemeral OS disk
-      url: "https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk"
-
 - description: Enable and remediate Azure Policies configured for AKS
   aprlGuid: 26ebaf1f-c70d-4ebd-8641-4b60a0ce0094
   recommendationTypeId: null
@@ -326,7 +309,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools
+  recommendationResourceType: Microsoft.ContainerService/managedClusters
   recommendationMetadataState: Active
   longDescription: |
     Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption.
@@ -394,7 +377,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.ContainerService/managedClusters/agentPools
+  recommendationResourceType: Microsoft.ContainerService/managedClusters
   recommendationMetadataState: Disabled
   longDescription: |
     Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads.
diff --git a/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql b/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql
@@ -27,7 +27,7 @@ resources
     | join kind=innerunique (
         resources
         | where type == "microsoft.network/publicipaddresses"
-        | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
+        | where location in~ ("centralindia", "centralus", "eastus", "japaneast", "japanwest","newzealandnorth", "southcentralus", "southeastasia", "switzerlandnorth","uaenorth", "westeurope", "westus3", "usgovvirginia", "chinanorth3")
         | where isnull(zones) or array_length(zones) < 2
         | extend
             LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))),
diff --git a/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql b/azure-resources/Network/loadBalancers/kql/6d82d042-6d61-ad49-86f0-6a5455398081.kql
@@ -1,9 +1,10 @@
 // Azure Resource Graph Query
-// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool,
-// and project the name of the impacted backend pool.
+// Find all LoadBalancers with only 1 VM in any backend pool
 resources
 | where type =~ 'Microsoft.Network/loadBalancers'
 | mv-expand bpool = properties.backendAddressPools
 | extend BackendAddresses = array_length(bpool.properties.loadBalancerBackendAddresses)
 | where BackendAddresses <= 1
-| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081",name=bpool.name,id=strcat(id,"/backendAddressPools/",bpool.name),tags
+| extend lbId = id, lbName = name, poolName = tostring(bpool.name)
+| summarize anyPool = any(poolName), anyTags = any(tags) by lbId, lbName
+| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name = lbName, id = lbId, tags = anyTags, param1 = strcat("backendPoolName: ", anyPool)
diff --git a/azure-resources/Network/loadBalancers/recommendations.yaml b/azure-resources/Network/loadBalancers/recommendations.yaml
@@ -20,7 +20,7 @@
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
-  recommendationResourceType: Microsoft.Network/loadBalancers/backendAddressPools
+  recommendationResourceType: Microsoft.Network/loadBalancers
   recommendationMetadataState: Active
   longDescription: |
     Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.
diff --git a/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql b/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql
@@ -1,9 +1,12 @@
 // Azure Resource Graph query
 // List public IP addresses that are not Zone-Redundant
-Resources
+resources
 | where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional"
-| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
-| where isempty(zones) or array_length(zones) <= 1
+| where
+    (location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
+    and array_length(zones) <= 1)
+    or
+    (location in~ ("centralindia", "centralus", "eastus", "japaneast", "japanwest", "newzealandnorth","southcentralus", "southeastasia", "switzerlandnorth", "uaenorth", "westeurope", "westus3","usgovvirginia", "chinanorth3")
+    and (isempty(zones) or array_length(zones) <= 1))
 | extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones)
 | project recommendationId = "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az)
-
diff --git a/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql b/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql
@@ -9,9 +9,12 @@ resources
 | extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
 | join kind=inner (
     resources
-    | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
     | where type == "microsoft.network/publicipaddresses"
-    | where isnull(zones) or array_length(zones) < 3   )
+    | where
+    (location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
+    and array_length(zones) <= 1)
+    or
+    (location in~ ("centralindia", "centralus", "eastus", "japaneast", "japanwest", "newzealandnorth","southcentralus", "southeastasia", "switzerlandnorth", "uaenorth", "westeurope", "westus3","usgovvirginia", "chinanorth3")
+    and (isempty(zones) or array_length(zones) <= 1)))
     on $left.pipId == $right.id
 | project recommendationId = "4bae5a28-5cf4-40d9-bcf1-623d28f6d917", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)
-
