Skip to content

Governance Policies Azure Compute VMSS

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

VMSS

Governance policies for Vmss

Domain: azure-compute

Patterns

Name Description
VMSS Flexible with autoscale and encryption Zone-redundant VMSS with Flexible orchestration, CMK encryption, and autoscale

Anti-Patterns

Description Instead
Do not use Uniform orchestration for new VMSS deployments Use Flexible orchestration mode for better availability and flexibility
Do not use password authentication for Linux VMSS instances Use SSH key authentication with disablePasswordAuthentication: true

References

Checks (4)

Check Severity Description
AZ-VMSS-001 Required Deploy VMSS with Flexible orchestration mode, managed identity, and zone distribution
AZ-VMSS-002 Required Enable encryption at host for VMSS instances
AZ-VMSS-003 Required Configure autoscale rules based on relevant metrics
AZ-VMSS-004 Recommended Enable automatic OS upgrades and automatic instance repairs

AZ-VMSS-001

Deploy VMSS with Flexible orchestration mode, managed identity, and zone distribution

Severity: Required
Rationale: Flexible mode is the recommended orchestration; Uniform is legacy. Managed identity eliminates credential management
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/virtualMachineScaleSets

Companion Resources

Resource Name Purpose
Microsoft.Network/networkSecurityGroups nsg-vmss Network security group applied to VMSS network interface configurations
Microsoft.Network/loadBalancers lb-vmss Standard load balancer for distributing traffic across VMSS instances
Microsoft.Compute/diskEncryptionSets des-cmk Disk Encryption Set with customer-managed key for VMSS OS and data disks
Microsoft.Insights/diagnosticSettings diag-vmss Diagnostic settings for VMSS instance metrics and boot diagnostics
Microsoft.Insights/autoscaleSettings autoscale-vmss Autoscale rules for CPU-based scale-out and scale-in of VMSS instances

AZ-VMSS-002

Enable encryption at host for VMSS instances

Severity: Required
Rationale: Encryption at host ensures temp disks, caches, and data-in-transit to storage are encrypted
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.Compute/virtualMachineScaleSets

AZ-VMSS-003

Configure autoscale rules based on relevant metrics

Severity: Required
Rationale: Without autoscale, VMSS requires manual capacity management and cannot respond to load changes
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/virtualMachineScaleSets

Companion Resources

Resource Name Purpose
Microsoft.Compute/virtualMachineScaleSets vmss-target Target VMSS that autoscale settings apply to

AZ-VMSS-004

Enable automatic OS upgrades and automatic instance repairs

Severity: Recommended
Rationale: Automatic upgrades keep instances patched; automatic repairs replace unhealthy instances
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/virtualMachineScaleSets

Companion Resources

Resource Name Purpose
Microsoft.Network/loadBalancers/probes health-probe Load balancer health probe providing health signal for automatic instance repairs

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally