Azure VMSS 漏洞列表

Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, the upgrades take place in multiple batches, with a maximum of 20% of the scale set upgrading at any time.

Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.

Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.

Ensure that each Microsoft Azure virtual machine scale set is integrated with a load balancer in order to distribute incoming traffic among healthy virtual machine instances running within the scale set. Azure load balancer is a layer 4 load balancer that provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP web applications.

Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.

Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect the scale sets from datacenter-level failures.