Azure Advisor is a Microsoft Azure service that provides recommendations based on your deployed Azure services configuration. By analyzing data from various telemetries, it helps you optimize your Azure configuration using the five pillars of the Microsoft Azure Well-Architected Framework as a baseline. By leveraging Azure Advisor’s recommendations, you can enhance and refine your Azure services’ cost, security, reliability, operational excellence, and performance.
The Microsoft Azure Well-Architected Framework provides a logical methodology for optimizing cloud-based workloads using a 5-pillar approach. Let’s take a look at each pillar and how they work together.
| Pillar | Description | Examples |
|---|---|---|
| Cost Optimization | Recommendations that accelerate time-to-market while keeping costs to a minimum. | Workload sizing recommendations. |
| Operational Excellence | Recommendations that improve workload- and application-supporting operations. | Automation, continuous monitoring, and diagnostic recommendations. |
| Performance Efficiency | Recommendations that enable resource scaling both horizontally and vertically. | Database configuration, storage configuration, and service availability recommendations. |
| Reliability | Recommendations that improve resiliency, availability, and fault-tolerance. | Virtual Machine protection and VPN resiliency recommendations. |
| Security | Recommendations that improve security without causing workflow bottlenecks. | Identity management, access control, application security, and encryption recommendations. |
Azure Advisor Recommended Best Practices
Cost Optimization
Azure Advisor’s cost optimization recommendations aim to reduce your Azure spend by identifying idle or underutilized resources.
| General | Cleanup | Reservations |
|---|---|---|
| Right-size your database servers (MariaDB, MySQL, and PostgreSQL). | Shut down or downsize underutilized VMs. | Reserve general purpose VM instances. |
| Use standard snapshots for managed disks. | Right-size your database servers (MariaDB, MySQL, and PostgreSQL). | Reserve resource-optimized instances. |
| Use lifecycle management. | Eliminate unprovisioned ExpressRoute circuits. | Reserve Azure Cosmos DB capacity. |
| Create an Ephemeral OS Disk recommendation | Delete or reconfigure idle virtual network gateways. | Reserve SQL Database and SQL Managed Instance capacity. |
| Delete unassociated public IP addresses. | Reserve App Service Stamp Fee capacity. | |
| Delete failing Azure Data Factory pipelines. | Reserve Blob storage capacity. | |
| Use standard snapshots for managed disks. | Reserve MariaDB, MySQL, and PostgreSQL capacity. | |
| Create an Ephemeral OS Disk recommendation. | Reserve Azure Synapse Analytics capacity. |
Operational Excellence
Operational Excellence recommendations provide guidance that enables process and workflow efficiency, resource manageability, and deployment best practices.
| General | Alerting & Compliance | Resource Management |
|---|---|---|
| Ensure you have access to Azure cloud experts when you need it. | Create Azure Service Health alerts. | Delete and re-create your pool to remove a deprecated internal component. |
| Repair invalid log alert rules. | Enable a non-validation environment for production. | |
| Use Azure Policy recommendations. | Enable Traffic Analytics to view insights across Azure resources. | |
| Configure your storage accounts to prevent reaching the maximum subscription limit. |
See the best multi-cloud management solution on the market, and when you book & attend your CloudBolt demo we’ll send you a $75 Amazon Gift Card.
Performance
Azure Advisor’s performance recommendations provide guidance on improving the speed and responsiveness of configured and supported workloads.
| General | Database | Query |
|---|---|---|
| Reduce DNS time-to-live on your Traffic Manager profile to failover to healthy endpoints faster. | Use an Azure Database for MySQL or Azure Database for PostgreSQL read replica to scale out reads for read-intensive workloads. | Remove data skew on your Azure Synapse Analytics tables. |
| Upgrade your Storage client library to the latest version. | Improve MySQL connection management. | Create or update outdated table statistics in your Azure Synapse Analytics tables. |
| Use managed disks to prevent disk I/O throttling. | Fix the CPU pressure of your Azure Database for MySQL, Azure Database for PostgreSQL, and Azure Database for MariaDB servers with CPU bottlenecks. | Scale up to optimize cache utilization on your Azure Synapse Analytics tables. |
| Use Premium storage for VM disks when possible. | Set your Azure Cosmos DB query page size (MaxItemCount) to -1. | Convert Azure Synapse Analytics tables to replicated tables. |
| Migrate your storage account to Azure Resource Manager. | Optimize MySQL temporary-table sizing. | Increase batch size when loading to maximize load throughput, data compression, and query performance. |
| Increase the size of your VPN Gateway SKU to address high P2S and/or CPU use. | Reduce memory constraints or move to a Memory-Optimized SKU. | Scale your cache to a different size or SKU. |
| Upgrade to the latest Immersive Reader SDK. | Scale your Azure Database to a higher SKU to prevent connection constraints. | Co-locate storage accounts in the same region to minimize latency. |
| Improve user experience and connectivity by deploying VMs closer to Windows Virtual Desktop deployment location. | Add regions with traffic to your Azure Cosmos DB account. | |
| Use Accelerated Writes in your HBase cluster. | Configure your Azure Cosmos DB indexing policy by using custom included or excluded paths. | |
| Change the maximum session limit to improve VM performance. |
Reliability
The reliability recommendations Azure Advisor provides aim to increase the availability and resiliency of supported Azure workloads.
| General | Resilience | Upgrades |
|---|---|---|
| Protect your virtual machine data from accidental deletion. | Configure Consistent indexing mode on your Azure Cosmos DB collection. | Update version of your CheckPoint network virtual appliance image. |
| Use soft delete on your Azure storage account to save and recover data after accidental overwrite or deletion. | Use production VPN gateway for production workloads. | Upgrade your Azure Cosmos DB .NET SDK to the latest version from NuGet. |
| Ensure application gateway fault tolerance. | Configure Traffic Manager endpoints | Upgrade your Azure Cosmos DB Java SDK to the latest version from Maven |
| Enable virtual machine replication. | Configure your VPN gateway to active-active. | Upgrade your Azure Cosmos DB Spark connector to the latest version from Maven. |
| Do not override hostname to ensure website integrity. | Configure your Azure Cosmos DB containers with a partition key. | Upgrade to Kafka 2.1 on HDInsight 4.0. |
| Upgrade older Spark versions in HDInsight Spark clusters. |
Security
Azure Advisor leverages the Azure Security Center platform to provide recommendations that help protect Azure resources.
| App Services | Compute | Containers |
|---|---|---|
| Enable Azure Defender for App Service. | Enable adaptive application controls for defining safe applications. | Enable Azure Defender for Kubernetes and container registries. |
| Require FTPS in your API app, function app, and web app. | Update allowlist rules in your adaptive application control policy. | Deploy from trusted registries only. |
| Use the latest version of TLS in your function app and web app. | Encrypt automation account variables. | Avoid running containers as a root user. |
| Enable Azure Defender and file integrity monitoring for servers. | Use Role-Based Access Control (RBAC) for all Kubernetes services. | |
| Use disk encryption on virtual machines. | Install Azure Policy Addon-on for Kubernetes on your clusters. | |
| Use endpoint protection on your machines and VM scale sets. | Ensure clusters are only accessible over HTTPS. | |
| Install the Log Analytics agent on your Azure Arc machines, virtual machines, and machine scale sets. | Avoid overriding or disabling container AppArmor profiles. | |
| Protect management ports for VMs with just-in-time network access control. | ||
| Data | Identity & Access | IoT |
| Provision Azure Active Directory for SQL servers. | Have at least 2 but no more than 3 owners per subscription. | Apply adaptive network hardening recommendations on internet-facing VMs. |
| Install the Azure Defender extension on Azure Arc clusters. | Enable Azure Defender for Key Vault. | Restrict network ports with network security groups. |
| Use customer-managed keys to encrypt data at rest for Azure Cosmos DB accounts. | Remove deprecated and external accounts with owner permissions, read permissions, and write permissions. | Enable secure transfer to storage accounts. |
| Enable Azure Defender for SQL Database servers, DNS, Resource Manager, and storage. | Use expirations for keys and secrets in your Key Vault. | Protect VM management ports with just-in-time network access control. |
| Enable MFA across all accounts with owner, read, and write permissions. |
For the complete list of security best practices, visit: Reference table for all Azure Security Center recommendations | Microsoft Docs.
Managing Azure Advisor
Azure Advisor offers recommendations after it analyzes the deployed resources on a particular subscription. Depending on the service, the relevant data may take some time to materialize. Recommendations appear in the Azure Advisor dashboard, but as with most Azure services, you can also manage Azure Advisor using the Azure Portal, the Azure CLI, or Azure PowerShell.
Managing Azure Advisor with Azure Portal
You can manage your Azure Advisor recommendations through Azure Portal’s dashboard. In the following screenshot, there are no recommendations available. However, to ensure you stay informed of any new recommendations, you must set up alerts and a recommendation digest.
Creating an Azure Advisor Recommendation Digest
An Azure Advisor recommendation digest provides you with a customized synopsis of any active recommendations. You can create an Azure Advisor recommendation digest via the Azure Portal by navigating to “All Recommendations.”
Recommendation digests have the following settings:
- Frequency: Defines the frequency of the digest (Weekly, Bi-Weekly, or Monthly).
- Recommendation category: Defines which recommendation categories to include.
- Action Groups: Specifies an Action Group to receive these digest recommendations.
- Recommendation digest name: Defines the name of the digest for segmentation and reporting.
|
Platform
|
Multi Cloud Integrations
|
Cost Management
|
Security & Compliance
|
Provisioning Automation
|
Automated Discovery
|
Infrastructure Testing
|
Collaborative Exchange
|
|---|---|---|---|---|---|---|---|
|
CloudHealth
|
✔
|
✔
|
✔
|
||||
|
Morpheus
|
✔
|
✔
|
✔
|
||||
|
CloudBolt
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Creating an Azure Advisor Alert
Creating an alert on Azure Advisor enables you to receive proactive communication when the service makes a particular recommendation. You can select to receive alerts for a category or a specific recommendation type as well as choose the alert mechanism. The screenshot below shows the form that you need to complete on the Azure Portal.
1. Setting the Scope
Azure Advisor uses the Azure Resource Manage model to segment services for analysis. To ensure you and your teams receive the right messages, it’s important to organize workloads by roles and service aids so that they can be aligned with a resource group.
For example, suppose you assign all your security services to the same resource group. In that case, you can provide your security team with proper access controls and ensure they receive any security-related alerts or recommendations.
2. Setting the Condition
Azure Advisor gives you the option to receive alerts by category and impact level or recommendation type.
Category alerts notify the relevant parties when Azure Advisor creates a recommendation for a particular category. For example, if you configure an Azure Advisor alert for the security resource group, you can select the security category. In this way, Azure Advisor will alert the security team when it creates a security-related recommendation.
Category alerts also allow you to select the impact level. By leveraging this feature, you can send different alert levels to various groups. For example, you may want your NOC to receive every alert recommendation and only notify your senior leadership team when the impact level is high.
As previously mentioned, you can also configure Azure Advisor alerts per recommendation type. By selecting this option, you can offer your team alerts with better granularity. For example, you may want to send database-related alerts and recommendations to your DBAs.
3. Configuring the Action Group and Alert Details
Once you have configured the scope and condition, you need to assign the action group, provide the alert with a name, and save it to a resource group.
Managing Azure Advisor with Azure CLI
In addition to the Azure Portal, you can also manage Azure Advisor by using the Azure CLI. However, the Azure Portal has far more features and settings. For example, you can only list, enable, and disable particular recommendations using the Azure CLI.
In the following screenshot, running the command az advisor configuration list displays the complete list of user-configured Azure Advisor configurations.
As an example, if you wanted to disable the recommendation for one day, you could run the following Azure CLI command: az advisor recommendation disable --days 1 --ids <ResourceID>
For a complete list of Azure CLI Azure Advisor commands, see az advisor | Microsoft Docs.
Managing Azure Advisor with Azure PowerShell
Azure PowerShell offers users and administrators another option for managing Azure Advisor. However, like the Azure CLI, its management options are limited. You can obtain, enable, and disable recommendations, and you can also get and set the Azure Advisor configuration.
For example, running the PowerShell command Get-AzAdvisorConfiguration | fl * returns the same result as the Azure CLI command az advisor configuration list
If you wanted to disable the recommendation for one day as with the Azure CLI example, you could run the following PowerShell command: Disable-AzAdvisorRecommendation -Days 1 -ResourceID <ResourceID>
For a complete list of Azure PowerShell Azure Advisor commands, see Az.Advisor Module | Microsoft Docs.
Automating Azure Advisor
You can set up automation for Azure Advisor using either a runbook and automation account or custom code powered by a Logic or Function App. However, since Azure automation leverages PowerShell, you are limited to obtaining, enabling, and disabling recommendations (in addition to defining the Azure Advisor configurations).
One workaround is to receive Azure Advisor recommendations as an input for an automation process and, based on a defined threshold, execute against that input. For example, you could check for recommendations and consolidate that data with information from log analytics. Based on the resource’s criticality, you could then leverage Azure automation to right-size it.
Shortcomings and Limitations
Although Azure Advisor has some valuable features, it also has its limitations:
- No Multi-Cloud Support: Azure Advisor only offers recommendations for Azure-based services. It does not provide guidance for any other private or public cloud platforms. If the organization has a multi-cloud or hybrid-cloud strategy, this limitation means either managing multiple solutions or implementing a third-party platform.
- Limited Scope: Azure Advisor only analyzes and provides recommendations for a subset of Azure services. These include Application Gateway, App Services, availability sets, Azure Cache, Azure Data Factory, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, Azure ExpressRoute, Azure Cosmos DB, Azure public IP addresses, Azure Synapse Analytics, SQL servers, storage accounts, Traffic Manager profiles, and virtual machines.
- No SLA: Azure Advisor is a free service, so it does not have an SLA.
- Limited Automation: Automating interventions based on Azure Advisor recommendations requires effort and technical expertise. You either need to write code that calls the Azure Advisor API or leverages an Azure Automation runbook.
- Recommendation Limitations: Although Azure Advisor provides a long list of recommendations for the services it does support, it does not cover every possibility.
Only solution with automated discovery, testing, provisioning, security, and cost management
A `single pane`for infrastructure spanning on-premise, private cloud, and multiple public clouds
A comprehensive framework that extends your existing tool investments and fills the gaps
Are Azure Advisor’s Recommendations Enough?
Azure Advisor has a lot to offer; its alignment with the Azure Well-Architected Framework helps organizations monitor, analyze, and implement recommendations for their Azure services. However, the service does have its limitations. Since it does not cover every Azure service and offers no multi-cloud support, organizations that want to optimize their workloads using this native solution must also manage additional solutions or implement a third-party platform.
Related Blogs
The New FinOps Paradigm: Maximizing Cloud ROI
Featuring guest presenter Tracy Woo, Principal Analyst at Forrester Research In a world where 98% of enterprises are embracing FinOps,…
VMware Migration – Evaluating your Options
Near the end of 2023, millions of users waited with abated breath to see if Broadcom’s $69 billion acquisition of…
