Automatic instance repairs for Azure Virtual Machine Scale Sets

Important

The Reimage and Restart repair actions are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. Some aspects of this feature may change prior to general availability (GA).

Enabling automatic instance repairs for Azure Virtual Machine Scale Sets helps achieve high availability for applications by maintaining a set of healthy instances. If an unhealthy instance is found by Application Health extension or Load balancer health probes, automatic instance repairs will attempt to recover the instance by triggering repair actions such as deleting the unhealthy instance and creating a new one to replace it, reimaging the unhealthy instance (Preview), or restarting the unhealthy instance (Preview).

Requirements for using automatic instance repairs

Enable application health monitoring for scale set

The scale set should have application health monitoring for instances enabled. Health monitoring can be done using either Application Health extension or Load balancer health probes, where only one can be enabled at a time. The application health extension or the load balancer probes ping the application endpoint configured on virtual machine instances to determine the application health status. This health status is used by the scale set orchestrator to monitor instance health and perform repairs when required.

Configure endpoint to provide health status

Before enabling automatic instance repairs policy, ensure that your scale set instances have an application endpoint configured to emit the application health status. To configure health status on Application Health extension, you can use either Binary Health States or Rich Health States. To configure health status using Load balancer health probes, see probe up behavior.

For instances marked as "Unhealthy" or "Unknown" (Unknown state is only available with Application Health extension - Rich Health States), automatic repairs are triggered by the scale set. Ensure the application endpoint is correctly configured before enabling the automatic repairs policy in order to avoid unintended instance repairs, while the endpoint is getting configured.

API version

Automatic repairs policy is supported for compute API version 2018-10-01 or higher.

The repairAction setting for Reimage (Preview) and Restart (Preview) is supported for compute API versions 2021-11-01 or higher.

Restrictions on resource or subscription moves

Resource or subscription moves are currently not supported for scale sets when automatic repairs feature is enabled.

Restriction for service fabric scale sets

This feature is currently not supported for service fabric scale sets.

Restriction for VMs with provisioning errors

Automatic repairs currently do not support scenarios where a VM instance is marked Unhealthy due to a provisioning failure. VMs must be successfully initialized to enable health monitoring and automatic repair capabilities.

How do automatic instance repairs work?

Automatic instance repair feature relies on health monitoring of individual instances in a scale set. VM instances in a scale set can be configured to emit application health status using either the Application Health extension or Load balancer health probes. If an instance is found to be unhealthy, the scale set will perform a preconfigured repair action on the unhealthy instance. Automatic instance repairs can be enabled in the Virtual Machine Scale Set model by using the automaticRepairsPolicy object.

The automatic instance repairs process goes as follows:

  1. Application Health extension or Load balancer health probes ping the application endpoint inside each virtual machine in the scale set to get application health status for each instance.
  2. If the endpoint responds with a status 200 (OK), then the instance is marked as "Healthy". In all the other cases (including if the endpoint is unreachable), the instance is marked "Unhealthy".
  3. When an instance is found to be unhealthy, the scale set applies the configured repair action (default is Replace) to the unhealthy instance.
  4. Instance repairs are performed in batches. At any given time, no more than 5% of the total instances in the scale set are repaired. If a scale set has fewer than 20 instances, the repairs are done for one unhealthy instance at a time.
  5. The above process continues until all unhealthy instance in the scale set are repaired.

Available repair actions

Caution

The repairAction setting, is currently under PREVIEW and not suitable for production workloads. To preview the Restart and Reimage repair actions, you must register your Azure subscription with the AFEC flag AutomaticRepairsWithConfigurableRepairActions and your compute API version must be 2021-11-01 or higher. For more information, see set up preview features in Azure subscription.

There are three available repair actions for automatic instance repairs – Replace, Reimage (Preview), and Restart (Preview). The default repair action is Replace, but you can switch to Reimage (Preview) or Restart (Preview) by enrolling in the preview and modifying the repairAction setting under automaticRepairsPolicy object.

  • Replace deletes the unhealthy instance and creates a new instance to replace it. The latest Virtual Machine Scale Set model is used to create the new instance. This repair action is the default.

  • Reimage applies the reimage operation to the unhealthy instance.

  • Restart applies the restart operation to the unhealthy instance.

The following table compares the differences between all three repair actions:

Repair action VM instance ID preserved? Private IP preserved? Managed data disk preserved? Managed OS disk preserved? Local (temporary) disk preserved?
Replace No No No No No
Reimage Yes Yes Yes No Yes
Restart Yes Yes Yes Yes Yes

For details on updating your repair action under automatic repairs policy, see the configure a repair action on automatic repairs policy section.

Batching

The automatic instance repair operations are performed in batches. At any given time, no more than 5% of the instances in the scale set are repaired through the automatic repairs policy. This process helps avoid simultaneous deletion and re-creation of a large number of instances if found unhealthy at the same time.

Grace period

When an instance goes through a state change operation because of a PUT, PATCH, or POST action performed on the scale set, then any repair action on that instance is performed only after the grace period ends. Grace period is the amount of time to allow the instance to return to healthy state. The grace period starts after the state change has completed, which helps avoid any premature or accidental repair operations. The grace period is honored for any newly created instance in the scale set, including the one created as a result of repair operation. Grace period is specified in minutes in ISO 8601 format and can be set using the property automaticRepairsPolicy.gracePeriod. Grace period can range between 10 minutes and 90 minutes, and has a default value of 30 minutes.

Suspension of Repairs

Virtual Machine Scale Sets provide the capability to temporarily suspend automatic instance repairs if needed. The serviceState for automatic repairs under the property orchestrationServices in instance view of Virtual Machine Scale Set shows the current state of the automatic repairs. When a scale set is opted into automatic repairs, the value of parameter serviceState is set to Running. When the automatic repairs are suspended for a scale set, the parameter serviceState is set to Suspended. If automaticRepairsPolicy is defined on a scale set but the automatic repairs feature isn't enabled, then the parameter serviceState is set to Not Running.

If newly created instances for replacing the unhealthy ones in a scale set continue to remain unhealthy even after repeatedly performing repair operations, then as a safety measure the platform updates the serviceState for automatic repairs to Suspended. You can resume the automatic repairs again by setting the value of serviceState for automatic repairs to Running. Detailed instructions are provided in the section on viewing and updating the service state of automatic repairs policy for your scale set.

You can also set up Azure Alert Rules to monitor serviceState changes and get notified if automatic repairs becomes suspended on your scale set. For details, see Use Azure alert rules to monitor changes in automatic instance repairs service state.

Instance protection and automatic repairs

If an instance in a scale set is protected by applying one of the protection policies, then automatic repairs aren't performed on that instance. This behavior applies to both the protection policies: Protect from scale-in and Protect from scale-set actions.

Terminate notification and automatic repairs

If the terminate notification feature is enabled on a scale set, then during a Replace operation, the deletion of an unhealthy instance follows the terminate notification configuration. A terminate notification is sent through Azure metadata service – scheduled events – and instance deletion is delayed during the configured delay timeout. However, the creation of a new instance to replace the unhealthy one doesn't wait for the delay timeout to complete.

Enabling automatic repairs policy when creating a new scale set

Important

Starting November 2023, VM scale sets created using PowerShell and Azure CLI will default to Flexible Orchestration Mode if no orchestration mode is specified. For more information about this change and what actions you should take, go to Breaking Change for VMSS PowerShell/CLI Customers - Microsoft Community Hub

For enabling automatic repairs policy while creating a new scale set, ensure that all the requirements for opting in to this feature are met. The application endpoint should be correctly configured for scale set instances to avoid triggering unintended repairs while the endpoint is getting configured. For newly created scale sets, any instance repairs are performed only after the grace period completes. To enable the automatic instance repair in a scale set, use automaticRepairsPolicy object in the Virtual Machine Scale Set model.

You can also use this quickstart template to deploy a Virtual Machine Scale Set. The scale set has a load balancer health probe and automatic instance repairs enabled with a grace period of 30 minutes.

The following steps enabling automatic repairs policy when creating a new scale set.

  1. Go to Virtual Machine Scale Sets.
  2. Select + Add to create a new scale set.
  3. Go to the Health tab.
  4. Locate the Health section.
  5. Enable the Monitor application health option.
  6. Locate the Automatic repair policy section.
  7. Turn On the Automatic repairs option.
  8. In Grace period (min), specify the grace period in minutes, allowed values are between 10 and 90 minutes.
  9. When you're done creating the new scale set, select Review + create button.

Enabling automatic repairs policy when updating an existing scale set

Before enabling automatic repairs policy in an existing scale set, ensure that all the requirements for opting in to this feature are met. The application endpoint should be correctly configured for scale set instances to avoid triggering unintended repairs while the endpoint is getting configured. To enable the automatic instance repair in a scale set, use automaticRepairsPolicy object in the Virtual Machine Scale Set model.

After updating the model of an existing scale set, ensure that the latest model is applied to all the instances of the scale. Refer to the instruction on how to bring VMs up-to-date with the latest scale set model.

You can modify the automatic repairs policy of an existing scale set through the Azure portal.

Note

Enable the Application Health extension or Load Balancer health probes on your Virtual Machine Scale Sets before you start the next steps.

  1. Go to an existing Virtual Machine Scale Set.0
  2. Under Settings in the menu on the left, select Health and repair.
  3. Enable the Monitor application health option.

If you're monitoring your scale set by using the Application Health extension:

  1. Choose Application Health extension from the Application Health monitor dropdown list.

  2. From the Protocol dropdown list, choose the network protocol used by your application to report health. Select the appropriate protocol based on your application requirements. Protocol options are HTTP, HTTPS, or TCP.

  3. In the Port number configuration box, type the network port used to monitor application health.

  4. For Path, provide the application endpoint path (for example, "/") used to report application health.

    Note

    The Application Health extension will ping this path inside each virtual machine in the scale set to get application health status for each instance. If you're using Binary Health States and the endpoint responds with a status 200 (OK), then the instance is marked as "Healthy". In all the other cases (including if the endpoint is unreachable), the instance is marked "Unhealthy". For more health state options, explore Rich Health States.

If you're monitoring your scale set using SLB Health probes:

  • Choose Load balancer probe from the Application Health monitor dropdown list.- For the Load Balancer health probe, select an existing health probe or create a new health probe for monitoring.

To enable automatic repairs:

  1. Locate the Automatic repair policy section.
  2. Turn On the Automatic repairs option.
  3. In Grace period (min), specify the grace period in minutes. Allowed values are between 10 and 90 minutes.
  4. When you're done, select Save.

Configure a repair action on automatic repairs policy

Caution

The repairAction setting, is currently under PREVIEW and not suitable for production workloads. To preview the Restart and Reimage repair actions, you must register your Azure subscription with the AFEC flag AutomaticRepairsWithConfigurableRepairActions and your compute API version must be 2021-11-01 or higher. For more information, see set up preview features in Azure subscription.

The repairAction setting under automaticRepairsPolicy allows you to specify the desired repair action performed in response to an unhealthy instance. If you are updating the repair action on an existing automatic repairs policy, you must first disable automatic repairs on the scale set and re-enable with the updated repair action. This process is illustrated in the examples below.

This example demonstrates how to update the repair action on a scale set with an existing automatic repairs policy. Use API version 2021-11-01 or higher.

Disable the existing automatic repairs policy on your scale set

PUT or PATCH on '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}?api-version=2021-11-01'
{
  "properties": {
    "automaticRepairsPolicy": {
            "enabled": "false"
        }
    }
}

Re-enable automatic repairs policy with the desired repair action

PUT or PATCH on '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}?api-version=2021-11-01'
{
  "properties": {
    "automaticRepairsPolicy": {
            "enabled": "true",
            "gracePeriod": "PT40M",
            "repairAction": "Reimage"
        }
    }
}

Viewing and updating the service state of automatic instance repairs policy

Use Get Instance View with API version 2019-12-01 or higher for Virtual Machine Scale Set to view the serviceState for automatic repairs under the property orchestrationServices.

GET '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}/instanceView?api-version=2019-12-01'
{
  "orchestrationServices": [
    {
      "serviceName": "AutomaticRepairs",
      "serviceState": "Running"
    }
  ]
}

Use Set Orchestration Service State to suspend or resume the serviceState for automatic repairs.

POST '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}/instanceView?api-version=2023-07-01'

{
  "serviceName": "AutomaticRepairs",
  "action": "Suspend"
}

Troubleshoot

Failure to enable automatic repairs policy

If you get a 'BadRequest' error with a message stating "Couldn't find member 'automaticRepairsPolicy' on object of type 'properties'", then check the API version used for Virtual Machine Scale Set. API version 2018-10-01 or higher is required for this feature.

Instance not getting repaired even when policy is enabled

The instance could be in grace period. This period is the amount of time to wait after any state change on the instance before performing repairs, which helps avoid any premature or accidental repairs. The repair action should happen once the grace period is completed for the instance.

Viewing application health status for scale set instances

You can use the Get Instance View API for instances in a Virtual Machine Scale Set to view the application health status. With Azure PowerShell, you can use the cmdlet Get-AzVmssVM with the -InstanceView flag. The application health status is provided under the property vmHealth.

In the Azure portal, you can see the health status as well. Go to an existing scale set, select Instances from the menu on the left, and look at the Health state column for the health status of each scale set instance.

Next steps

Learn how to configure Application Health extension or Load balancer health probes for your scale sets.