Azure Guidance Report
Get a set of best practice checks to optimize costs, increase performance, and reliability of your Azure services. These recommendations are grouped based on three priority levels: High, Moderate, and Low.
Metrics-based practices will be calculated with the data collected during the Azure monitor's data collection. For the other practices, on-demand Azure API calls will be made and checked if the data is in line with the practice.
Enable Guidance Report
Please follow the steps below:
- Log in to Site24x7 and go to Cloud > Azure > click on the Azure monitor added.
- Click on Guidance Report in the left panel.
- Click on Enable Guidance Report.
Please wait for sometime to populate all the recommendations.
Best Practice Checks
Azure Virtual Machine (VM)
1. Idle VM
Priority:
High
Baseline:
A VM is deemed idle by analyzing its CPU utilization, network in and network out patterns. If the CPU usage is less than 2% and the total number of bytes transmitted and received on all network interfaces is less than 1000 bytes by default, then the VM is flagged as idle.
Recommendation:
In Azure, you’re billed for even the partial hours taken by your idle VMs. To reduce associated costs, consider stopping/terminating VMs or scale down the VM size.
2. High usage of VM
Priority:
High
Baseline:
An Azure VM is deemed over-utilized if it meets one or more of the following criteria:
- The average daily CPU usage is more than 90% for the last 7 days.
- The average daily memory usage is more than 90% for the last 7 days (Applicable only if the agent extension is deployed on the Azure VM)
Recommendation:
Change the VM size or add the VM to an autoscaling group.
3. Restrict network ports on the Network Security Groups (NSG) of VMs
Priority:
High
Baseline:
All network ports should be restricted on NSG associated to your VM to avoid the following issues:
- Malicious insider
- Data spillage
- Data exfiltration
Recommendation:
Edit the inbound rules of some of your VMs to restrict access to specific source ranges.
- Select a VM that you want to restrict access to.
- In the 'Networking' blade, click the Network Security Group with overly permissive rules.
- In the 'Network security group' blade, click on each of the rules that are overly permissive.
- Improve the rule by applying less permissive source IP ranges.
- Apply the suggested changes and click 'Save'.
If some or all of these VMs do not need to be accessed directly from the internet, consider removing the public IP associated to them.
4. User-defined tags for VMs
Priority:
High
Baseline:
Assign metadata in the form of tags (key-value pair) to better track and manage instances, images, and autoscaling groups.
Recommendation:
Create a tagging strategy adhering to Azure best practices.
5. High I/O intensity VMs
Priority:
High
Baseline:
I/O intensive workloads with lower state disks will significantly affect VM performance.
Recommendation:
Migrate any VM disks requiring high IOPS to premium storage.
6. Under-utilized VMs
Priority:
Moderate
Baseline:
A VM is deemed under-utilized if its CPU usage is less than 2% for the past 48 hrs.
Recommendation:
In Azure, you are billed based on the instance type and the number of consumed hours. Lower costs by identifying and stopping under-utilized VMs.
7. More than 50 inbound and outbound rules for Network Security Groups (NSG)
Priority:
Moderate
Baseline:
Specify up to five security groups to be associated with the VM instance. For each security group, add rules that control inbound and outbound traffic. Instance performance can be affected if the security group has a large number of rules.
Recommendation:
Delete unnecessary or overlapping rules in a VM security group.
8. Auto-shutdown resources with 'environment: testing, env: testing' tag
Priority:
Moderate
Baseline:
Delete VMs created for testing and other internal activities, to reduce incurring costs.
Recommendation:
Remove the VMs added for testing and that are running for more than a week's time.
9. VMs not attached to Availability Set Group
Priority:
Low
Baseline:
VMs within an availability set helps to keep the overall VM performance operational, when a hardware or software failure happens, with only a subset of your VMs being impacted.
Recommendation:
Create an availability set for the VM.
Azure Public IP Address
1. Unmapped Public IP Address
Priority:
High
Baseline:
Hide the failure of an instance or resource by disassociating the IP address from the resource and remapping to a different one in the same account.
Recommendation:
A small hourly fee gets levied on unused addresses. So, either associate the public IP address with an active instance/interface or delete it.
Azure App Service Plan
1. Scale out less-used App Service Plan
Priority
High
Baseline:
Stop paying more for under-used App Service Plans.
Recommendation:
Scale out the plan to reduce costs.
2. Web App consuming more than 80% average memory
Priority
High
Baseline:
High memory usage may degrade the performance of applications running on the App Service Plan. Consider increasing the plan to increase the memory limit.
Recommendation:
Scale up the plan to improve the performance.
3. Web App consuming more than 80% CPU time
Priority
High
Baseline:
High CPU usage may degrade the performance of applications running on the App Service Plan. Consider increasing the plan to increase the CPU limit.
Recommendation:
Scale up the plan to improve the performance.
4. Less than 5% site count usage for App Service Plan
Priority
High
Baseline:
If the number of sites used is less than 5% of the allowed number of sites, then we consider it as under-utilized.
Recommendation:
Move the apps to a different App Service Plan and remove this to save costs.
Azure Web App
1. Web Apps with average response time > 200ms
Priority
High
Baseline:
Slow is the new down. A web app with slow response time will affect your business. Keep track of the web apps that start behaving slowly for the last one week.
Recommendation:
Probe your application further using APM and find the modules/resources that are causing problems.
2. Web Apps with more number of 5xx error codes
Priority
High
Baseline:
A Web App that is error-prone indicates some part/module is failing and thus affecting business.
Recommendation:
Reduce the error response by proper error handling mechanisms and rectify the error modules.
3. Auth-disabled Web Apps
Priority
High
Baseline:
Authentication-disabled Web Apps allow anonymous entry and users will not be prompted to login.
Recommendation:
Enable authentication to avoid anonymous access.
4. Backup-disabled Web Apps
Priority
Moderate
Baseline:
Azure Backup will help to recover the Web Apps in case of any failure.
Recommendation:
Enable backup for the Azure Webapp.
5. Untagged Web Apps
Priority
Low
Baseline:
Manage Azure resources better with tags. Untagged resources may sometimes go unnoticed and are difficult to manage.
Recommendation:
Tag the Azure resources with appropriate key:value pairs to ease management.
Azure Function App
1. Publicly accessible Azure Functions
Priority
High
Baseline:
Azure Functions are charged based on the number of requests, and a request is any response to an event notification or invoke call. Allowing unauthorized executions can lead to unexpected charges on you subscriptions.
Recommendation:
Use Azure function login policies to manage invocation permissions.
FAQs
- Is the Azure Guidance Report available to all users?
- How frequently is the Azure Guidance Report updated?
- Will newly monitored resources show up automatically in the Azure Guidance Report?
- How does Site24x7 collect the data required to make the recommendations in the Azure Guidance report?
- How can I access the Azure Guidance Report?
- Can I schedule the Azure Guidance report and receive email notifications for the same?
- Can I see past recommendations/best practices in the Site24x7 web client?
- Limitations of Azure guidance report