Automatic Patching – Azure

In the procedure that we develop next, we will explain the process to follow to carry out the automatic update of virtual machines in Azure. As a summary, the process consists of establishing a window in which the updates can be applied to the machines, creating a security snapshot of each one of them to avoid unwanted changes or errors in the new updates, and that the previous state of the machine can be recovered.

Update management profile creation

The first step that we must execute is to create an automation account that allows us to define an Update Management profile.

We access the Automation Accounts section in Azure’s portal and create a new one.

We introduce the name and the group of resources that we want to use. Once created, enter it and access the Update management tab. It is important that the account is created with Azure Run As account, so that it has the necessary permissions to manage the resources.

To enable this functionality, it is necessary to use a Log Analytics workspace. We can use an existing one or create a new one that is automatically associated to our automation account.

Once enabled, we can add the virtual machines on which we want to manage the automatic updates. To do this, we can add them with Add Azure VMs, as shown below.

In our case we are going to add two virtual machines with Windows and Ubuntu operating system.

With this action we will manage to install in those machines the agent in charge of managing and applying the updates. Once the agent is ready, which can take several minutes, we can see information about the updates in the Update management tab in the virtual machine itself.


Creating a Pre-Upgrade Backup Runbook

In order to avoid any undesired failure with the new updates applied in the machines, it will be necessary to incorporate a pre-script in the programming of the update process that allows to create a snapshot of the disks of the machine previously affected.

To do this, in the automation account created we access the Runbook tab as shown.

The content of the pre-script is in the following file: prescript_snapshot

As a summary, the pre-script gets a list of the machines to be updated and gets their data, creates a snapshot for each machine’s disk and waits for the process to finish.

We can create the Runbook by pasting the content of the pre-script in the text editor of Azure’s own portal, or we can import it if we have previously converted the content to a text file with the extension .ps1. In either case, in the Runbook type you must specify PowerShell.

Once created or imported we have to publish it. To do this, we enter the edition and choose Publish.

Once published, we need to enable some modules in the automation account that this script uses. The modules are:

  • profile
  • Compute
  • RecoveryServices
  • RecoveryServices.Backup

We must first import the first of these, since it is on which the others depend. To do this we access the Modules gallery tab of the account and import them.

Once these modules have been imported, they should appear on their corresponding tab.


Creación de un Runbook de borrado de snapshot

Creating a snapshot delete runbook

In case you want to remove the snapshots created by the pre-script when they reach a specific age, it is possible to configure a second Runbook that executes this process and schedule it.

The creation process is the same as explained in the previous point for the pre-script. The content is in the following file: remove_snapshot

The delete script will delete all those snapshots that contain a tag created by the pre-script, in this case RemoveSnapshotUpdate, and that is older than 48 hours (It is possible to modify this script to change this value). It’s important not to apply this tag to any other resource to avoid its removal.

Once published, we can schedule its execution in the Schedules tab of the Runbook itself.

In this case, a monthly recurring run has been specified on the third Saturday of each month, but can be configured as required.


Creating an update window

In the automation account we can program a window to install the updates in the previously included machines.

In the Update management section, in the Schedule update deployment tab we can configure this window.

We can select groups of machines based on tags, but in this case we will show the example of a Windows machine.

We can specify the type of updates to apply, in this case we opt for security and critical updates.

It is possible to include or exclude some specific updates in the Include/exclude updates section. The Schedule settings will configure it when we want to execute the window.

In this specific example, we have specified that the update window will run every month on the second Saturday, before the snapshot removal script if we have included it.

In the section of Pre-scripts + Post-script we select the pre-script that we add at the beginning and we select that its corresponding type.

Finally, it is important to set a sufficient window duration, so it is advisable to set some value between 30 and 360 minutes.

Related Posts