Azure Update Management

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to talk about update management for my resources now those resources could be in azure and they could actually be somewhere else like on-premises or in the cloud i'm going to talk about two different solutions there's update management which is our kind of ga solution right now and then there's solutions that are coming but don't really change functionality it changes the plumbing underneath so i'm going to talk about both of those things and first as always if this is useful a like subscribe comment and share is definitely appreciated now our focus on this is really around sort of i as virtual machines if we always think about the types of resources we have and responsibilities well if i think about a virtual machine if i'm talking i as then i am responsible for things like the os the run times the middlewares the application and the data that's all my responsibility there were tools to help me but it's my responsibility so when i think about the os well that includes kind of setting the os but also obviously patching it that's kind of a huge part of it now also i'm talking about pets what i mean by a pet a pet is an instance that we really care about it has some unique state i would fix it if it was having problems we name it this is not cattle cattle would be something like well virtual machine scale sets so with vmss i have some kind of gold image template i have some set of kind of configuration extensions that i apply i have some scale configurations including auto scale and then it just goes out and creates them but there's nothing unique about those i generally will not be patching those what would happen is hey i have a new version of the image so a new version it could be from the gallery or it could be from the shared image gallery and it's a private image and i publish a new version and that new version has the patches and then i would just kind of destroy and redeploy them because there's no special state and vmss even has built-in capabilities that if it sees a new version of the image it will actually go and roll it out over that deployment so i'm not going to be patching those individually we just redeploy them if there's a new version of the image that has the patching in it i want so our focus is here on these kind of pets these virtual machines now i probably already have a solution i'm doing some maybe on premises now that could be something like system center configuration manager and i could absolutely bring that to the cloud if that's working for me today i could have things like distribution points as things like cloud distribution points i could use that to patch these so i could definitely just use my existing investments if i wanted to but there are also some kind of cloud native technologies to azure and that's what i'm going to focus on so the first one is update management now if i think about what is kind of update management it's really comprised of two key things now the first part of this is we're going to have a log analytics workspace so we used to log analytics it's that place i can send logs and then run analysis on top of it so it's going to use that to get information from the operating systems about well what patches do they have what patches are they missing and get kind of that overall state and then it's going to use azure automation so it's two components that are going to be part of this solution now those things get auto configured for me but it's going to leverage those and what it actually does is if i think about for example that virtual machine over there we'll kind of draw it again that means i'm going to absolutely have kind of that log analytics agent installed that enables it to go and talk to the log analytics workspace and is also going to install kind of this hybrid run book worker which enables it to talk to azure automation so we can go and hey i need to do this i'm performing these various actions this is going to be two agents we run inside of our operating system to enable this to actually work now in terms of what clients are actually supported if i bring up the documentation page we can actually see well great so there's all these different windows server 2019 2016 2012 2008 r2 and then things like send os 6 7 8 red hat enterprise linux suse linux enterprise server ubuntu so these are the key ones that are supported kind of by this solution now what's going to happen is when we enable this this os instance and again this could absolutely be um so actually draw this over here it's supported on windows and it's supported on linux and it's going to use whatever source is defined for is patches so for example on windows this could absolutely be microsoft update so that cloud service which means obviously it's going to need to be able to get that so i need that internet access from that virtual machine but i could also use something like well wsus whatever that os is configured to use i might just write windows wrong it's interesting it's early in the morning windows whatever it's configured to use i've got to use group policy i could use some declarative configuration it's going to use that for the source of what patches are available and what ones i'm actually going to go and pull these down from likewise on linux linux could use kind of a public repo or once again it can use kind of a private repo so i i kind of have that choice now obviously with linux there's different solutions used depending on the type of linux distribution if for example i am ubuntu so ubuntu is going to use apt if i'm using red hat then i'm going to use yum and if i'm suse then it's going to use zipper so they have those different solutions but fundamentally whichever way it's going public or private it's using the native technology of the operating system to actually go and work out what patches are there and that's what it's going to use to install them key point here whatever it's talking to that is the source of truth i.e if i'm pointing to wsas for windows and in wsus i've not approved all of the patches it's missing some it has no way of knowing there are other patches out there so when it goes and reports in to the log analytics workspace and the overall solution looks at what patches do you need it can only see the ones that it knows about from whatever source it's using so the source of truth here is whatever you configured the os to use for its patching there is not some other source of truth that it knows about other patches from it's going to use whatever is there now after a new patch is released to any of these things for linux it's going to show up normally within a couple of hours for windows it could be 12 to 15 hours but there's going to be these compliant scans running every 12 hours for windows every hour for linux so it's gonna get detected and known really within half a day so a key point here is the technology is just whatever it's used to now can you install third-party updates for microsoft if it's a microsoft product yeah they're available through microsoft update as well if it was a third-party application there are some things i can do to kind of force a package into wsus so there is this ws package publisher and that would enable me to kind of push patches and make them known to wsus so then yes i could make them available through this solution um the next is easier the next hey look if if it's in the repost that it's pointing to it it's probably going to work and i'll be able to push it so that that's an easier thing to do so the main steps are actually pretty simple um essentially i'm going to onboard my virtual machine into the update management solution so it's going to get the log analytics agent running on it it's going to get the hybrid run book worker running on it talking to the azure automation account it's then going to run compliance scans to see well what's it missing based on whatever source of truth it's pointing to and then through the azure automation i can define these schedules of hey i want to actually go and deploy this so this is probably easier to let let's take a look at this in action so if i jump over let's close that down so we can think about starting with hey if i just had a regular virtual machine if i scroll down to operations you'll kind of see this guest and host updates now if i select that you'll see i have update management and from here because i've not configured it yet it's saying hey look um i'm going to use a certain log analytics workspace because it's already reporting to one and then i need to create an azure automation account because remember that's what's going to then talk to the hybrid runbook worker which will get installed on this box and talk to it once that's configured if i jump over to one i made earlier now i could kind of go into that same thing again and now i'll actually see okay well you're missing kind of these patches i could see my deployment schedules but this is kind of one machine at a time so what i'd rather kind of do is manage multiple machines this is really where the power comes and when i click this what it's actually going to do is go to the azure automation account that i've configured and then it's going to go to this update management portion so i could absolutely jump directly to that so go to my automation accounts go to my automation account and then click update management so now i'm back in the same place from here this is because i've got the log analytics workspace and i've got my azure automation account the next thing i'm going to do is onboard virtual machine so i could say hey i want to add azure vms and it's going to go and search now i could filter this down it's going to find all of the ones that i don't currently have so i could say hey where do i what locations do i have and it's checking saying oh well there's an issue on this vm but all the rest are already enabled so i could filter that down but i could go and check these virtual machines and i could say hey on board that i could click this enable button at the bottom i want to on board them to the update management solution now once i've done that notice i can also do non-azure virtual machines now for this basic is going to take me to documentation that says hey install the log analytics agent because that gets it talking to the log analytics workspace and then it's known and then i can do the update management now one of the nice things actually about this is that it is free there is no cost for this apart from log analytics workspace data if i actually look at the pricing we'll actually see when i go to update management even for on premises other clouds it's free any node is free what i pay for though is the data in azure log analytics service it kind of talks about you only pay for log data stored in that log analytics service so there's there's some charge to make sure your data retention settings make sure you're thinking about that but i can manage on-prem azure really anywhere where i put the agent so i'm going to onboard the machines the next thing i'm going to want to do is kind of schedule update deployments now it's going to take a while again to come back with its status remember the vms have to go and run that compliance scan we talked about once it's onboarded see which ones it's missing based on whatever source of truth it's been configured to use if i've not changed anything it's probably using if it's windows microsoft update if it's linux the the public if i'm using group policy or something else i might have changed it to point to w sas or some private so it's going to run that compliance scan so once it runs that compliance scan it will then show me hey hey i'm compliant or i'm missing these various updates i could go and see hey what updates i'm actually missing then i'm going to want to go ahead and schedule an update deployment now i give it a name and i target different deployments for windows or linux now i can then pick the groups of machines based on two different options either i can basically define a kind of filter so i could filter it down to certain subscriptions and certain resource groups or just pick one um to certain resource groups i could filter it to certain locations i could filter it by certain tags i can basically add in based on these kind of items so it's a dynamic collection based on those things that i'm actually defining i can do the same for non-azure so that's one it'll just automatically hey whatever fits this thing maybe i'll have a tag based on update schedule and so it will automatically bring those in or i might say i just want to select the machines so here i could actually just go in and maybe i could just say machines and it showed me kind of all of them that are windows and i would actually select the ones i want to actually be in there um so we'll say i could i could just select them and then that would be part of it so i could drop those in and they're now selected so i'm going to typically do one or the other either i'm going to specify the machines directly or i can use this kind of dynamic i could use both if i select both of those it's going to do the union so the kind of sum of both of those things together but typically you just do one or the other now i can select what update classifications do i want so for kind of windows we see all these hey critical security update features service packs definition updates etc i can specifically add to either include specific ones or exclude specific ones i can pick the schedule so is this a one-time patch i'm rolling out or actually i'm going to run this every day or every two days or every week i can say if it expires a certain time basically i'm setting a time for that deployment i can have pre and post scripts so i could run something before the patching and then run something after the patching as well so i can hook in and do additional things i can set the amount of time it has to perform these patches and if i'm going to reboot so yes i'll reboot if it's required or hey don't reboot or only reboot don't install the patches so i go and create these schedules now i already have them so if you go to the tab deployment schedules i can see hey yeah i have a windows one which again is just based on a group it's anything i basically have so it's that azure query and i can preview and see it would include all of those machines and then i also have one for linux and the same thing it's just basically all my linux machines for linux it's critical and security and i've done other and both of those are on kind of a daily recurrence and then that's just going to go and happen now i can see the history you can see i've actually got some failures i could go and dive into those so linux some windows were working here then i had some failures then i had successes so i can actually go and see the detail of each of these kind of run jobs well so that failed to start and that's okay so i would go and dig into that but i can get the detail of exactly what happened on each of those kind of runs and that's really it so once you've defined these things it's really just going to go and do all that work for me so that's kind of the today update management solution so windows and linux i can set what patches i want i can set windows maintenance durations very flexible the pain point people have found are these kind of cogs that i'm maintaining this azure automation i'm maintaining this log analytics workspace also log analytics workspace is not really designed for very granular role-based access control so if i have everyone coming into the same log analytics workspace it's not that easy to say hey you're allowed to patch these machines but not those machines so realistically app teams might only want to see their machines or i only want them to be able to do things to their machines so that's today that's update management so what we have coming and now in preview is we have this kind of automatic vm guest patching so this is kind of a new solution if you go and look at the page we can go and look at this quick it is in preview right now so i could absolutely go over to this you can kind of sign on to on board this and it's just going to automatically deploy the patches now once again this is kind of windows and linux but i have basically no control over this thing so what the automatic is going to do if i think about from a patching perspective it's kind of the critical and security that's it that's what it's actually going to go and push there is no time control i can't set when it deploys i can't set a window this is kind of set it and forget it i cannot stop certain patches hey this particular net patch is going to cause me a problem don't push it i have no way of doing that i literally can do nothing now this is used by a lot of azure servers internal services this will be super may be useful for kind of dev test where i don't really care i just want these things pushed out and deployed and what's phenomenal about this solution there is no log analytics workspace there is no azure automation there is only an extension it's using the azure resource graph and the native resource capabilities so the azure resource graph is the data store there's not some log analytics workspace i need to go and track that it's native to the resource itself if it's virtual machines or virtual machine scale sets or arc for servers it's just integrated into the compute service or the arc services there's nothing else i have to do and the patches will be installed well within 30 days that that's my that's my level of control i have for this now it does use kind of the availability um principles when it's doing this this availability first so it's not just going to take a whole bunch of stuff down so the idea of that is well we wouldn't deploy to the same paired regions so it is considerable so it's this availability first it's not going to take everything down so it's not going to do paired regions at the same time it'll only do one a z at a time if i have um availability sets it's only going to do one update domain at a time so it's going to kind of protect from some kind of mass impact as part of the deployment but i have no control over this whatsoever and i can only do those things but it's super simple it's just hey i i basically gonna turn it on i set it and forget it and now i know hey my windows my linux virtual machines will be within within 30 days they're going to have all the critical and security patches so again this right now is in preview so there's obviously a gap yeah so we have update management is great it's flexible i can configure all these things set the types of patches i want but i have these kind of bits that are not that friendly there's some cogs i have to manage then we have this super friendly thing but i have no control so what's coming is update center so update center is gonna this automatic vm guest patching agent this is what's going to form the foundation for update center but update center will bring in kind of the flexibility and the configuration options of update manager so update center will add back the idea of hey i can have the different kind of categories of the patches i want i can kind of set hey the time and the duration of those things i can do kind of approval so that's where it's going but this is super this has kind of been mentioned by the pg but we don't really see anything about this yet but that's where it's going to but obviously from a feature perspective it's really the same as update manager which is what we have today what's going to change is the plumbing underneath hey i don't have to have azure automation and log analysis workspaces anymore it's just going to use the azure resource graph for the data and the raw compute the arc resources to actually go and do those things so it just removes some of that kind of plumbing underneath to simplify it but that's where we are and you could think about when this is available then that would be my production thing so i want more control i might want other types of patches on so today the production solution is azure update management windows linux on-prem azure full control of when what i can exclude i can include i have all that power where that's going is to really change the plumbing get rid of the automation log analytics workspace but keep all the functionality today we can start to get a glimpse of that if we're okay just auto doing the stuff i can turn on in the preview this automatic vm guest patching i'll only get critical and security i have no control i can't exclude or include but within 30 days and following availability firsts or concepts i'll get my patches so that's where we are i hope that was useful i hope it clarified a few things about what i can do with the native azure functionality until next time take care you
Info
Channel: John Savill's Technical Training
Views: 11,468
Rating: undefined out of 5
Keywords: azure, azure cloud, azure update management, guest patching, os patching, automatic update
Id: 8HPUKgKYNeY
Channel Id: undefined
Length: 25min 50sec (1550 seconds)
Published: Thu Mar 25 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.