6 Easy Ways to Manage and Harden VM Images in Azure
In this article, take a look at six ways to manage and harden VM images in Azure.
Join the DZone community and get the full member experience.Join For Free
Managing VM Images may be a nightmare. Here are 6 simple approaches on how to seamlessly build, share, test, and copy images in Azure. And as a bonus, you also get how to build image notifications based on Event-Driven-Architecture.
Whether you are managing 100 Virtual Machines or 1000+ that build and harden VM images, do you manually manage your images? If you do, you know that it is quite expensive and leads to hard-to-detect errors and potential security vulnerabilities.
Here is how I approach this issue for my customers. My procedure of creating image management for Azure.
1. Building an Image Using the Azure Image Builder
The Azure Image Builder is a service that allows you to create custom images with Azure CLI. The image creation based on the JSON template, example below.
I have to cut the original template as it is quite long. Here you can find full example.
The ARM template is quite simple it contains the following properties:
- Identity section is required, you have to create Managed Identity for image builder to have an access to create and edit images
- VmProfile is to set up VM configuration plan
- Source allows you to specify base image parameters. I use the latest Ubuntu Server 18.04 LTS from Canonical
The customization section allows you to specify VM hardening scripts.
- The customization section allows you to specify VM hardening scripts.
Here you can see the full list of the Image Builder options.
Below you can find CLI commands that build the image based on the mentioned JSON template.
Before you run this template you should enable the Azure Image Builder, set permissions, create resource groups, and create the managed identity. Here you can find a step-by-step process.
Templates and the process itself is easy to understand and it can be easily integrated with Azure DevOps.
The image builder is still in the review therefore it is not recommended using it in the production. Set up can be a bit difficult in comparison to Hashicorp Packer. (explain how to work with the Packer in the next section).
2. Building an Image Using the Hashicorp Packer
Hashicorp Packer is a multi-platform solution that allows building custom images based on JSON templates. The JSON templates are well-structured and based on an easy-to-understand object model. The JSON templates have just three root objects: Communicators, Builders, Provisioners, and Post-Processors. Below you can find the JSON template.
JSON template creates the VHD image of Ubuntu with a preinstalled NGINX web server and other updates. Here you can find a lot of other templates.
To set up packer you can use Chocolatie package manager:
You can run the JSON template using the following command:
Before your run the template you need to create Management Identity or Service Principal with proper permissions, For example:
This command automatically creates JSON file with
subscriptionId and other fields.
Here you can find other details of setting up and run the Packer templates.
The Packer and JSON templates simple to understand. They allow you to quickly set up the environment and start building images. There is also a strong community. Plus, the Packer supports multiple cloud providers.
I have not found any serious disadvantages. However, while building an image, the packer always removes the disk that is required in some operations with images. For example, for copying an image.
3. Sharing Images
To share images in Azure, you may use the Shared Image Gallery. It can:
- Create image definition
- Keep versions of an image
- Share an image
For example, you can share an image across your Azure subscriptions, resource groups, and tenants.
In the current scenario, you can create a user group or a single user/service principal, assign contributor rights only for this shared image gallery.
As a result, users from the group can create the Virtual Machine based on the Ubuntu image from this Shared Image Gallery in the different subscriptions.
The Azure Shared Image gallery easily allows you to build, share, manage, and customize images within your organization. SIG has Azure CLI, so you can easily automate image distribution.
The image remains in a shared access gallery. Thus, it physically stays there. So, when you share it across subscriptions, you cannot change or remove it independently for each subscription.
4. Copying Images
By copying images, you can deliver images from one subscription to another or from one resource group to another. All copied images are independent of each other. You can copy images using Azure Image Copy extension, or implement manual copying using Go. Let us have a look at the examples below.
Copying Image With Az Copy Extension
To copy images between subscriptions, I use Az Image Copy extension. It creates a new image (from the source image) in Resource Group A.
Install copy extension:
Important. Packer removes the disk automatically after managed image is created.
Az Image Copy extension is simple to use and automate.
An image must contain a managed disc, otherwise the copy process fails with ‘Resource not found’ error message.
Copy Image Manually
If Az Copy Image Extension does not work for you, you can create a VHD image in the storage account and copy it to another destination storage account.
The process workflow:
- Create 2 Storage accounts, Source and Destination
- Create the VHD image in the Source storage account. You can use the Packer script from the first section.
- Generate Shared Access Signature for the VHD Source image. Here you can find an example of how to do it with Azure CLI.
4. And copy the image. To demonstrate I use the following Go script. You can also use the AzCopy tool, here the example of how to do it.
The current image coping workflow is fully custom. Therefore, it can be changed at any time. Also, it can be useful when the Az Image Copy extension does not work you. For example, when it removes the managed disk while creating an image.
You have to implement all workflow steps including:
- creating VHD
- generating and managing SAS token
- copying an image
- cleaning up
- converting an image
5. Image and Disk Converting
The operations to convert a VHD image to a Managed Disk, or a Managed Disk to a VHD image. This is useful when you need to distribute images across your organization with Azure Shared Image Gallery in the image copy process and when you need you to spin up a new VM.
Also, it is useful when you have some legacy VHD and you need to support it, install updates, set up automatic backups, use availability, and availability zones.
Here is a list of advantages of the Managed Image.
Converting VHD Image to the Managed Disk
Convert Managed Disk to Managed Image
With both cmdlets, you can deliver an image to your Azure Shared Image across different subscriptions and resource groups.
The conversion process can be complicated because some images can be outdated, and the conversion process may fail.
6. Testing Images
To test images, you can simply spin-up the new VM from the image gallery and use an image definition.
The command and process itself quite simple.
It does not check whether specific software and services are installed correctly in the JSON configuration. So this logic has to be implemented separately.
The Images Pub/Sub Subsystem Concept (Bonus)
Managing images across several subscriptions or resource groups can be difficult, especially when you constantly producing new versions of images, or you have some automated process to spin-up new virtual machines.
In this case, you need to build a notification system for notifying different components when a new image was created, a new version or image definition appears in the Azure Shared Image Gallery. You can easily create it using Azure Event Grid with filters.
Below you can see how it can be done with the event grid. You can use Queue, Webhook, and even Azure Service Bus to deliver messages to the target component.
The following example demonstrates how you can create an event grid with image filters.
Here you can find the complete Azure DevOps pipeline with the steps on how to deploy this Event Grid and link with other required resources.
That’s it. Based on these ways you can easily set up images Hardening and management pipeline in the Azure DevOps.
Opinions expressed by DZone contributors are their own.