Disabled AHB by default Azure#2493 (Azure#2627)

Author: BernieWhite

docs/CHANGELOG-v1.md

@@ -34,14 +34,21 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 What's changed since v1.32.1:
 
+- Updated rules:
+  - Cognitive Services:
+    - Relaxed `Azure.Cognitive.ManagedIdentity` to configurations that require managed identities by @BernieWhite.
+      [#2559](https://github.com/Azure/PSRule.Rules.Azure/issues/2559)
+  - Virtual Machine:
+    - Checks for Azure Hybrid Benefit `Azure.VM.UseHybridUseBenefit` are not enabled by default by @BernieWhite.
+      [#2493](https://github.com/Azure/PSRule.Rules.Azure/issues/2493)
+      - To enable, set the `AZURE_VM_USE_HYBRID_USE_BENEFIT` option to `true`.
+  - Virtual Network:
+    - Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
+      [#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
+      - To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
 - General improvements:
   - Quality updates to rules and documentation by @BernieWhite.
     [#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)
-  - Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
-    [#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
-    - To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
-  - Relax `Azure.Cognitive.ManagedIdentity` to required configurations by @BernieWhite.
-    [#2559](https://github.com/Azure/PSRule.Rules.Azure/issues/2559)
 - Engineering:
   - Bump xunit to v2.6.4.
     [#2618](https://github.com/Azure/PSRule.Rules.Azure/pull/2618)

docs/en/rules/Azure.VM.UseHybridUseBenefit.md

@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-01-03
 severity: Awareness
 pillar: Cost Optimization
-category: Pricing and billing model
+category: CO:05 Rate optimization
 resource: Virtual Machine
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.UseHybridUseBenefit/
 ---
@@ -14,11 +15,31 @@ Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.
 
 ## DESCRIPTION
 
-Azure Hybrid Benefit is a licensing benefit that helps you to reduce costs of running virtual machine (VM) workloads.
+The running cost of Virtual machine (VM) workloads in Azure is composed of several components, including:
+
+- Compute usage for the VM size and image billed per second of run time, which may include:
+  - Base compute rate for the VM size.
+  - Software included on the VM image billed per second of run time, such as Windows Server or SQL Server.
+- Storage usage for the VM disks.
+- Network usage for data transfer in and out of the VM.
+- Usage of other supporting Azure resources, such as load balancers, public IP addresses, or log ingestion.
+- Licensing costs for other software installed on the VM.
+
+Azure Hybrid Benefit is a licensing benefit that helps you to reduce your overall cost of ownership.
+With Azure Hybrid Benefit you to use your existing on-premises licenses to pay a reduced rate on Azure.
+
+When Azure Hybrid Benefit enabled on supported VM images:
+
+- The billing rate for the VM is adjusted to the base compute rate.
+- You must separately have eligible licenses, such as Windows Server or SQL Server because Azure does not include these anymore.
+
+For additional information on Azure Hybrid Benefit, see the [Azure Hybrid Benefit FAQ][1].
+
+  [1]: https://azure.microsoft.com/pricing/hybrid-benefit/#faq
 
 ## RECOMMENDATION
 
-Consider using Azure Hybrid Benefit for eligible workloads.
+Consider using Azure Hybrid Benefit for eligible virtual machine (VM) workloads.
 
 ## EXAMPLES
 
@@ -34,44 +55,50 @@ For example:
 
 ```json
 {
-    "type": "Microsoft.Compute/virtualMachines",
-    "apiVersion": "2021-07-01",
-    "name": "[parameters('name')]",
-    "location": "[parameters('location')]",
-    "properties": {
-        "hardwareProfile": {
-            "vmSize": "Standard_D2s_v3"
-        },
-        "osProfile": {
-            "computerName": "[parameters('name')]",
-            "adminUsername": "[parameters('adminUsername')]",
-            "adminPassword": "[parameters('adminPassword')]"
-        },
-        "storageProfile": {
-            "imageReference": {
-                "publisher": "MicrosoftWindowsServer",
-                "offer": "WindowsServer",
-                "sku": "[parameters('sku')]",
-                "version": "latest"
-            },
-            "osDisk": {
-                "name": "[format('{0}-disk0', parameters('name'))]",
-                "caching": "ReadWrite",
-                "createOption": "FromImage"
-            }
-        },
-        "licenseType": "Windows_Server",
-        "networkProfile": {
-            "networkInterfaces": [
-                {
-                    "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
-                }
-            ]
+  "type": "Microsoft.Compute/virtualMachines",
+  "apiVersion": "2023-09-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "zones": [
+    "1"
+  ],
+  "properties": {
+    "hardwareProfile": {
+      "vmSize": "Standard_D2s_v3"
+    },
+    "osProfile": {
+      "computerName": "[parameters('name')]",
+      "adminUsername": "[parameters('adminUsername')]",
+      "adminPassword": "[parameters('adminPassword')]"
+    },
+    "storageProfile": {
+      "imageReference": {
+        "publisher": "MicrosoftWindowsServer",
+        "offer": "WindowsServer",
+        "sku": "[parameters('sku')]",
+        "version": "latest"
+      },
+      "osDisk": {
+        "name": "[format('{0}-disk0', parameters('name'))]",
+        "caching": "ReadWrite",
+        "createOption": "FromImage",
+        "managedDisk": {
+          "storageAccountType": "Premium_LRS"
         }
+      }
     },
-    "dependsOn": [
-        "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
-    ]
+    "licenseType": "Windows_Server",
+    "networkProfile": {
+      "networkInterfaces": [
+        {
+          "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+        }
+      ]
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+  ]
 }
 ```
 
@@ -86,9 +113,12 @@ To deploy VMs that pass this rule:
 For example:
 
 ```bicep
-resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {
+resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2023-09-01' = {
   name: name
   location: location
+  zones: [
+    '1'
+  ]
   properties: {
     hardwareProfile: {
       vmSize: 'Standard_D2s_v3'
@@ -109,6 +139,9 @@ resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {
         name: '${name}-disk0'
         caching: 'ReadWrite'
         createOption: 'FromImage'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
       }
     }
     licenseType: 'Windows_Server'
@@ -129,8 +162,26 @@ resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {
 az vm update -n '<name>' -g '<resource_group>' --set licenseType=Windows_Server
 ```
 
+### NOTES
+
+This rule is not processed by default.
+To enable this rule, set the `AZURE_VM_USE_AZURE_HYBRID_BENEFIT` configuration value to `true`.
+
+For example:
+
+```yaml title="ps-rule.yaml"
+configuration:
+  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: true
+```
+
+The following limitations currently apply:
+
+- This rule only applies to Azure Hybrid Benefit for Windows VMs.
+  Linux VM images are ignored.
+
 ## LINKS
 
-- [Design review checklist for Cost Optimization](https://learn.microsoft.com/azure/well-architected/cost-optimization/checklist)
-- [Azure Hybrid Benefit FAQ](https://azure.microsoft.com/pricing/hybrid-benefit/faq/)
+- [CO:05 Rate optimization](https://learn.microsoft.com/azure/well-architected/cost-optimization/get-best-rates)
+- [Azure Hybrid Benefit FAQ](https://azure.microsoft.com/pricing/hybrid-benefit/#faq)
 - [Explore Azure Hybrid Benefit for Windows VMs](https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines)

docs/examples-vm.bicep

@@ -23,8 +23,50 @@ param sku string
 @description('A reference to the VNET subnet where the VM will be deployed.')
 param subnetId string
 
-// An example basic VM
-resource vm1 'Microsoft.Compute/virtualMachines@2023-07-01' = {
+// An example virtual machine.
+resource vm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
+  name: name
+  location: location
+  zones: [
+    '1'
+  ]
+  properties: {
+    hardwareProfile: {
+      vmSize: 'Standard_D2s_v3'
+    }
+    osProfile: {
+      computerName: name
+      adminUsername: adminUsername
+      adminPassword: adminPassword
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'MicrosoftWindowsServer'
+        offer: 'WindowsServer'
+        sku: sku
+        version: 'latest'
+      }
+      osDisk: {
+        name: '${name}-disk0'
+        caching: 'ReadWrite'
+        createOption: 'FromImage'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+      }
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: nic.id
+        }
+      ]
+    }
+  }
+}
+
+// An example virtual machine with Azure Hybrid Benefit.
+resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2023-09-01' = {
   name: name
   location: location
   zones: [
@@ -71,7 +113,8 @@ resource vm1 'Microsoft.Compute/virtualMachines@2023-07-01' = {
 @sys.description('The name of the resource.')
 param nicName string
 
-resource nic 'Microsoft.Network/networkInterfaces@2023-05-01' = {
+// An example network interface
+resource nic 'Microsoft.Network/networkInterfaces@2023-06-01' = {
   name: nicName
   location: location
   properties: {

docs/examples-vm.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.23.1.45101",
-      "templateHash": "1366791398259070498"
+      "version": "0.24.24.22086",
+      "templateHash": "8240160405856325456"
     }
   },
   "parameters": {
@@ -58,7 +58,52 @@
   "resources": [
     {
       "type": "Microsoft.Compute/virtualMachines",
-      "apiVersion": "2023-07-01",
+      "apiVersion": "2023-09-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "zones": [
+        "1"
+      ],
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "Standard_D2s_v3"
+        },
+        "osProfile": {
+          "computerName": "[parameters('name')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('adminPassword')]"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "MicrosoftWindowsServer",
+            "offer": "WindowsServer",
+            "sku": "[parameters('sku')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "name": "[format('{0}-disk0', parameters('name'))]",
+            "caching": "ReadWrite",
+            "createOption": "FromImage",
+            "managedDisk": {
+              "storageAccountType": "Premium_LRS"
+            }
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+            }
+          ]
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2023-09-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "zones": [
@@ -104,7 +149,7 @@
     },
     {
       "type": "Microsoft.Network/networkInterfaces",
-      "apiVersion": "2023-05-01",
+      "apiVersion": "2023-06-01",
       "name": "[parameters('nicName')]",
       "location": "[parameters('location')]",
       "properties": {