Help Guidance Report

Azure Guidance Report

Get a set of best practice checks to optimize costs, increase performance, and reliability of your Azure services. These recommendations are grouped based on three priority levels: High, Moderate, and Low.

Metrics-based practices will be calculated with the data collected during the Azure monitor's data collection. For the other practices, on-demand Azure API calls will be made and checked if the data is in line with the practice.

Enable Guidance Report

Please follow the steps below:

  1. Log in to Site24x7 and go to Cloud > Azure > click on the Azure monitor added.
  2. Click on Guidance Report in the left panel.
  3. Click on Enable Guidance Report.

Please wait for sometime to populate all the recommendations.

Best Practice Checks

Azure Virtual Machine (VM)

1. Idle VM

Priority:

High

Baseline:

A VM is deemed idle by analyzing its CPU utilization, network in and network out patterns. If the CPU usage is less than 2% and the total number of bytes transmitted and received on all network interfaces is less than 1000 bytes by default, then the VM is flagged as idle.

Recommendation:

In Azure, you’re billed for even the partial hours taken by your idle VMs. To reduce associated costs, consider stopping/terminating VMs or scale down the VM size.

2. High usage of VM

Priority:

High

Baseline:

An Azure VM is deemed over-utilized if it meets one or more of the following criteria:

  • The average daily CPU usage is more than 90% for the last 7 days.
  • The average daily memory usage is more than 90% for the last 7 days (Applicable only if the agent extension is deployed on the Azure VM)

Recommendation:

Change the VM size or add the VM to an autoscaling group.

3. Restrict network ports on the Network Security Groups (NSG) of VMs

Priority:

High

Baseline:

All network ports should be restricted on NSG associated to your VM to avoid the following issues:

  • Malicious insider
  • Data spillage
  • Data exfiltration

Recommendation:

Edit the inbound rules of some of your VMs to restrict access to specific source ranges.

  1. Select a VM that you want to restrict access to.
  2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
  3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
  4. Improve the rule by applying less permissive source IP ranges.
  5. Apply the suggested changes and click 'Save'.

If some or all of these VMs do not need to be accessed directly from the internet, consider removing the public IP associated to them.

4. User-defined tags for VMs

Priority:

High

Baseline:

Assign metadata in the form of tags (key-value pair) to better track and manage instances, images, and autoscaling groups.

Recommendation:

Create a tagging strategy adhering to Azure best practices.

5. High I/O intensity VMs

Priority:

High

Baseline:

I/O intensive workloads with lower state disks will significantly affect VM performance.

Recommendation:

Migrate any VM disks requiring high IOPS to premium storage.

6. Under-utilized VMs

Priority:

Moderate

Baseline:

A VM is deemed under-utilized if its CPU usage is less than 2% for the past 48 hrs.

Recommendation:

In Azure, you are billed based on the instance type and the number of consumed hours. Lower costs by identifying and stopping under-utilized VMs.

7. More than 50 inbound and outbound rules for Network Security Groups (NSG)

Priority:

Moderate

Baseline:

Specify up to five security groups to be associated with the VM instance. For each security group, add rules that control inbound and outbound traffic. Instance performance can be affected if the security group has a large number of rules.

Recommendation:

Delete unnecessary or overlapping rules in a VM security group.

8. Auto-shutdown resources with 'environment: testing, env: testing' tag

Priority:

Moderate

Baseline:

Delete VMs created for testing and other internal activities, to reduce incurring costs.

Recommendation:

Remove the VMs added for testing and that are running for more than a week's time.

9. VMs not attached to Availability Set Group

Priority:

Low

Baseline:

VMs within an availability set helps to keep the overall VM performance operational, when a hardware or software failure happens, with only a subset of your VMs being impacted.

Recommendation:

Create an availability set for the VM.

Azure Public IP Address

1. Unmapped Public IP Address

Priority:

High

Baseline:

Hide the failure of an instance or resource by disassociating the IP address from the resource and remapping to a different one in the same account.

Recommendation:

A small hourly fee gets levied on unused addresses. So, either associate the public IP address with an active instance/interface or delete it.

Azure App Service Plan

1. Scale out less-used App Service Plan

Priority

High

Baseline:

Stop paying more for under-used App Service Plans.

Recommendation:

Scale out the plan to reduce costs.

2. Web App consuming more than 80% average memory

Priority

High

Baseline:

High memory usage may degrade the performance of applications running on the App Service Plan. Consider increasing the plan to increase the memory limit.

Recommendation:

Scale up the plan to improve the performance.

3. Web App consuming more than 80% CPU time

Priority

High

Baseline:

High CPU usage may degrade the performance of applications running on the App Service Plan. Consider increasing the plan to increase the CPU limit.

Recommendation:

Scale up the plan to improve the performance.

4. Less than 5% site count usage for App Service Plan

Priority

High

Baseline:

If the number of sites used is less than 5% of the allowed number of sites, then we consider it as under-utilized.

Recommendation:

Move the apps to a different App Service Plan and remove this to save costs.

Azure Web App

1. Web Apps with average response time > 200ms

Priority

High

Baseline:

Slow is the new down. A web app with slow response time will affect your business. Keep track of the web apps that start behaving slowly for the last one week.

Recommendation:

Probe your application further using APM and find the modules/resources that are causing problems.

2. Web Apps with more number of 5xx error codes

Priority

High

Baseline:

A Web App that is error-prone indicates some part/module is failing and thus affecting business.

Recommendation:

Reduce the error response by proper error handling mechanisms and rectify the error modules.

3. Auth-disabled Web Apps

Priority

High

Baseline:

Authentication-disabled Web Apps allow anonymous entry and users will not be prompted to login.

Recommendation:

Enable authentication to avoid anonymous access.

4. Backup-disabled Web Apps

Priority

Moderate

Baseline:

Azure Backup will help to recover the Web Apps in case of any failure.

Recommendation:

Enable backup for the Azure Webapp.

5. Untagged Web Apps

Priority

Low

Baseline:

Manage Azure resources better with tags. Untagged resources may sometimes go unnoticed and are difficult to manage.

Recommendation:

Tag the Azure resources with appropriate key:value pairs to ease management.

Azure Function App

1. Publicly accessible Azure Functions

Priority

High

Baseline:

Azure Functions are charged based on the number of requests, and a request is any response to an event notification or invoke call. Allowing unauthorized executions can lead to unexpected charges on you subscriptions.

Recommendation:

Use Azure function login policies to manage invocation permissions.

FAQs

Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Help Guidance Report