SQL best practices assessment for SQL Server on Azure VMs
Applies to: SQL Server on Azure VM
The SQL best practices assessment feature of the Azure portal identifies possible performance issues and evaluates that your SQL Server on Azure Virtual Machines (VMs) is configured to follow best practices using the rich ruleset provided by the SQL Assessment API.
Overview
Once the SQL best practices assessment feature is enabled, your SQL Server instance and databases are scanned to provide recommendations for things like indexes, deprecated features, enabled or missing trace flags, statistics, etc. Recommendations are surfaced to the SQL VM management page of the Azure portal.
Assessment results are uploaded to your Log Analytics workspace using Azure Monitor Agent (AMA). The AMA extension is installed to the SQL Server VM, if it is not installed already, and AMA resources such as DCE, DCR are created and connected to the specified Log Analytics workspace.
Assessment run time depends on your environment (number of databases, objects, and so on), with a duration from a few minutes, up to an hour. Similarly, the size of the assessment result also depends on your environment. Assessment runs against your instance and all databases on that instance. In our testing, we observed that an assessment run can have up to 5-10% CPU impact on the machine. In these tests, the assessment was done while a TPC-C like application was running against the SQL Server.
Prerequisites
To use the SQL best practices assessment feature, you must have the following prerequisites:
- Your SQL Server VM must be registered with the SQL Server IaaS extension.
- A Log Analytics workspace in the same subscription as your SQL Server VM to upload assessment results to.
- SQL Server 2012 or later.
Permissions
To enable SQL best practices assessments, you need the following permissions:
- Virtual machine contributor on the underlying virtual machine resource.
- Virtual machine contributor on the SQL virtual machines resource.
- Log Analytics Contributor on the resource group that contains the Log Analytics workspace.
- Reader on the resource group where the Azure Monitor Agent resources are created. Check the configuration option for the resource group when you enable the SQL best practices assessment feature.
Enable
You can enable SQL best practices assessments using the Azure portal or the Azure CLI.
To enable SQL best practices assessments using the Azure portal, follow these steps:
- Sign into the Azure portal and go to your SQL virtual machines.
- Select SQL best practices assessments under Settings.
- Select Enable SQL best practices assessments or Configuration to navigate to the Configuration page.
- Check the Enable SQL best practices assessments box and provide the following:
- The Log Analytics workspace that assessments will be uploaded to. Choose an existing workspace in the subscription from the drop-down.
- Choose a resource group where the Azure Monitor Agent resources DCE and DCR will be created. If you specify the same resource group across multiple SQL Server VMs, these resources are reused.
- The Run schedule. You can choose to run assessments on demand, or automatically on a schedule. If you choose a schedule, then provide the frequency (weekly or monthly), day of week, recurrence (every 1-6 weeks), and the time of day your assessments should start (local to VM time).
- Select Apply to save your changes and deploy the Azure Monitor Agent to your SQL Server VM if it's not deployed already. An Azure portal notification tells you once the SQL best practices assessment feature is ready for your SQL Server VM.
Assess SQL Server VM
Assessments run:
- On a schedule
- On demand
Run scheduled assessment
You can configure assessment on a schedule using the Azure portal and the Azure CLI.
If you set a schedule in the configuration pane, an assessment runs automatically at the specified date and time. Choose Configuration to modify your assessment schedule. Once you provide a new schedule, the previous schedule is overwritten.
Run on demand assessment
After the SQL best practices assessment feature is enabled for your SQL Server VM, it's possible to run an assessment on demand using the Azure portal, or the Azure CLI.
To run an on-demand assessment by using the Azure portal, select Run assessment from the SQL best practices assessment pane of the SQL virtual machines resource page in the Azure portal.
View results
The Assessments results section of the SQL best practices assessments page shows a list of the most recent assessment runs. Each row displays the start time of a run and the status - scheduled, running, uploading results, completed, or failed. Each assessment run has two parts: evaluates your instance, and uploads the results to your Log Analytics workspace. The status field covers both parts. Assessment results are shown in Azure workbooks.
Access the assessment results Azure workbook in three ways:
- Select the View latest successful assessment button on the SQL best practices assessments page.
- Choose a completed run from the Assessment results section of the SQL best practices assessments page.
- Select View assessment results from the Top 10 recommendations surfaced on the Overview page of your SQL VM resource page.
Once you have the workbook open, you can use the drop-down to select previous runs. You can view the results of a single run using the Results page or review historical trends using the Trends page.
Results page
The Results page organizes the recommendations using tabs for:
- All: All recommendations from the current run
- New: New recommendations (the delta from previous runs)
- Resolved: Resolved recommendations from previous runs
- Insights: Identifies the most recurring issues and the databases with the most issues.
The graph groups assessment results in different categories of severity - high, medium, low, and information. Select each category to see the list of recommendations, or search for key phrases in the search box. It's best to start with the most severe recommendations and go down the list.
The first grid shows you each recommendation and the number of instances in your environment that encountered that issue. When you select a row in the first grid, the second grid lists all the instances for that particular recommendation. If there's no selection in the first grid, the second grid shows all recommendations, which could potentially be a long list. You can use the drop downs above the grid (Name, Severity, Tags, Check Id) to filter the results. You can also use Export to Excel and Open the last run query in the Logs view options by selecting the small icons on the top right corner of each grid.
The passed section of the graph identifies recommendations your system already follows.
View detailed information for each recommendation by selecting the Message field, such as a long description, and relevant online resources.
Trends page
There are three charts on the Trends page to show changes over time: all issues, new issues, and resolved issues. The charts help you see your progress. Ideally, the number of recommendations should go down while the number of resolved issues goes up. The legend shows the average number of issues for each severity level. Hover over the bars to see the individual vales for each run.
If there are multiple runs in a single day, only the latest run is included in the graphs on the Trends page.
Enable for all VMs in a subscription
You can use the Azure CLI to enable the SQL best practices assessment feature on all SQL Server VMs within a subscription. To do so, use the following example script:
# This script is formatted for use with Az CLI on Windows PowerShell. You may need to update the script for use with Az CLI on other shells.
# This script enables SQL best practices assessment feature for all SQL Servers on Azure VMs in a given subscription. It configures the VMs to use a Log Analytics workspace to upload assessment results. It sets a schedule to start an assessment run every Sunday at 11pm (local VM time).
# Please note that if a VM is already associated with another Log Analytics workspace, it will give an error.
$subscriptionId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
# Resource Group where the Log Analytics workspace belongs
$myWsRg = 'myWsRg'
# Log Analytics workspace where assessment results will be stored
$myWsName = 'myWsName'
# Resource Group where the Azure Monitor Agent resources will be created
$myAgentRg = 'myAgentRg'
# Ensure in correct subscription
az account set --subscription $subscriptionId
$sqlvms = az sql vm list | ConvertFrom-Json
foreach ($sqlvm in $sqlvms)
{
echo "Configuring feature on $($sqlvm.id)"
az sql vm update --assessment-weekly-interval 1 --assessment-day-of-week Sunday --assessment-start-time-local "23:00" --workspace-name $myWsName --workspace-rg $myWsRg -g $sqlvm.resourceGroup --agent-rg $myAgentRg -n $sqlvm.name
# Alternatively you can use this command to only enable the feature without setting a schedule
# az sql vm update --enable-assessment true --workspace-name $myWsName --workspace-rg $myWsRg -g $sqlvm.resourceGroup --agent-rg $myAgentRg -n $sqlvm.name
# You can use this command to start an on-demand assessment on each VM
# az sql vm start-assessment -g $sqlvm.resourceGroup -n $sqlvm.name
}
Known issues
You may encounter some of the following known issues when using SQL best practices assessments.
Migrating to Azure Monitor Agent (AMA)
Previously, SQL best practices assessment feature used Microsoft Monitoring Agent (MMA) to upload assessments to Log Analytics workspace. The Microsoft Monitoring Agent has been replaced with the Azure Monitor Agent (AMA). To migrate existing SQL best practices assessments from MMA to AMA, you must delete and then register your SQL Server VM with the extension again. Your existing results will still be available after assessments are enabled. If the MMA isn't being used by other services, you can remove it. Before you migrate, make sure Azure Monitor Log Analytics is supported in the region where your SQL Server VM is deployed.
Failed to enable assessments
Refer to the deployment history of the resource group containing the SQL VM to view the error message associated with the failed action.
Failed to run an assessment
Check the status of the assessment run in the Azure portal. If the status is failed, select the status to view the error message. You can also sign into the VM and review detailed error messages for failed assessments in the extension log at C:\WindowsAzure\Logs\Plugins\Microsoft.SqlServer.Management.SqlIaaSAgent\2.0.X.Y
, where 2.0.X.Y is the version of the extension.
If you're having issues running an assessment:
- Make sure your environment meets all the prerequisites.
- Make sure the SQL IaaS Agent service is running on the VM and the SQL IaaS Agent extension is in a healthy state. If the SQL IaaS Agent extension is unhealthy, repair the extension to address any issues, and upgrade it to the latest version without any SQL Server downtime.
- If you see login failures for
NT SERVICE\SqlIaaSExtensionQuery
, make sure that account exists in SQL Server with theServer permission - CONTROL SERVER
permission.
Uploading result to Log Analytics workspace failed
This error indicates that the Microsoft Monitoring Agent (MMA) was unable to upload the results within the expected time frame.
If your results are failing to upload to the Log Analytics workspace, try the following:
- Enable the system-assigned managed identity for the virtual machine and then to enable the best practices assessment feature once more.
- If the issue persists, try the following:
- Validate the MMA extension is provisioned correctly. Review the MMA troubleshooting guide for Custom logs.
- Add an outbound rule for port 443 in your Windows Firewall and Network Security Group (NSG).
Errors with incorrect TLS configuration using Log Analytics
The most common TLS error occurs when the Microsoft Monitoring Agent (MMA) extension can't establish an SSL handshake when connecting to the Log Analytics endpoint, which typically happens when TLS 1.0 is enforced by the registry or GPO at the OS level, but not updated for the .NET framework. If you've enforced TLS 1.0 or higher in Windows and disabled older SSL protocols, as described in Schannel-specific registry keys, you also need to make sure the .NET Framework is configured to use strong cryptography.
Unable to change the Log Analytics workspace after configuring SQL Assessment
After a VM is associated with a Log Analytics workspace, it can't be changed from the SQL virtual machine resource. This is to prevent Log Analytics from being used for other use cases. You can disconnect the VM by using the Log Analytics resource blade on the Virtual Machines page in the Azure portal.
Result expired due to Log Analytics workspace data retention
This indicates that results are no longer retained in the Log Analytics workspace, based on its retention policy. You can change the retention period for the workspace.
Related content
- To register your SQL Server on Azure VM with the SQL IaaS Agent extension:
- Manage SQL Server VMs by using the Azure portal