Skip to content

Azure Virtual Machines are not utilizing managed disks

Description

Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include

  1. Default Disk Encryption
  2. Resilience as Microsoft will managed the disk storage and move around if
    underlying hardware goes faulty
  3. Reduction of costs over storage accounts

Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.
For ARM deployed Virtual Machines, Azure Adviser will at some point recommend moving VHD's to managed disks both from a security and cost management perspective.

Fix - Buildtime

Terraform

  • Resource: azurerm_virtual_machine
resource "azurerm_virtual_machine" "virtual_machine_good" {
  name                  = "my-vm"
  location              = "location"
  resource_group_name   = "group_name"
  network_interface_ids = ["1234567"]
  vm_size               = "Standard_DS1_v2"

  storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }
  storage_os_disk {
    name              = "myosdisk1"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }
  os_profile {
    computer_name  = "hostname"
    admin_username = "testadmin"
    admin_password = "Password1234!"
  }
  os_profile_linux_config {
    disable_password_authentication = false
  }
  tags = {
    environment = "staging"
  }
}