I had a great pleasure giving a talk on Secure infrastructure with Terraform, Azure DSC and Ansible at Microsoft Techdays 2018 in Stockholm. The blog post based on the content is in workings.
As I promised to publish my slides and demos, here they are – in a Github repo.
The demos are grouped into three folders: ansible, dsc and tf. Dsc and tf have subfolder called “hardened”. This is where a more secure version of the template is.
“Tf – > hardened -> general” subfolder has various resources I used to supply the hardened demo, such as KeyVault and Azure Policy.
You can start using the templates right away, just look for edited IDs and password replaced with xxx-yyy etc.
Or drop me a question if in doubt.
It’s no news that Azure has a neat OMS integration and can be used to monitor update status of enrolled machines. What strikes me the most is the simplicity it provides to patching in the hybrid cloud infrastructure and the ability to get it under control in the minimal time.
Azure Update Management is part of an Automation Account and is tied to subscription it is created in. It means, you will be able to directly add Azure VMs from the same subscription. For other VMs – either Azure in a different subscription, or on-prem servers, you need to install OMS Agent. You can get one from the Log Analytics account associated with your Automation Account. You can find the link under the point 1 of the Getting started screen:
Proceed and grab an installer of the agent. You can unpack the agent MSI to a folder with /c /t:<folder> flags and install unattended – by providing the installer the following LogAnalytics parameters – Workspace ID and Workspace Key (you can find them . To simplify the distribution, I zipped the folder with unwrapped MSI content and wrote a small script for unattended installation that can run in memory (except for extracting zip archive). It requires the mentioned workspace details and a link to the agent zip archive.
Once you install the agent, it starts reporting to LogAnalytics and provides visibility into the update status for each machine.
The information is available in both Update Management blade and LogAnalytics workspace. The latter provides better stats but the data is non-actionable, one would need to get back to Update Management and trigger update from there.
From the Update Management blade, one can:
- schedule update deployment
- include specific machines or groups
- include or exclude particular patches by KB
- select update categories to apply
- schedule continuous update that will check and install required categories regularly
And the last detail – LogAnalytics can be switched to a free tier and will still be able to serve the needs of Update Management bringing costs of patch management on hundreds of servers close to zero.
Together with Azure DSC (configuration management) and Machine Inventory that I reviewed earlier, Azure Automation provides a wide range of tools to replace expensive and complex tools for managing hybrid infrastructure.