Each enterprise has its own compliance regulations and standards. Regarding security, each company has its own risk appetite. Security standards can differ from one organization to another and from one region to another.
Following differing standards can be more challenging in dynamically scaling cloud environments than in on-premises systems. When teams use DevOps practices, there are usually fewer restrictions on who can create Azure resources like virtual machines (VMs). This fact complicates compliance challenges.
By using Azure Policy and role-based access control assignments, enterprises can enforce standards on Azure resources. But with VMs, these mechanisms only affect the control plane, or the route to the VM. The system images that run on a VM still pose a security threat. Some companies prevent developers from accessing VMs. This approach impairs agility, making it difficult to follow DevOps practices.
This article presents a solution for managing the compliance of VMs that run on Azure. Besides tracking compliance, the solution also minimizes the risk from system images that run on VMs. At the same time, the solution is compatible with DevOps practices. Core components include Azure VM Image Builder, Azure Compute Gallery, and Azure Policy.
Potential use cases
This solution applies to organizations with Azure landing zones that complete these tasks:
Supplying golden images to DevOps teams. A golden image is the published version of a marketplace image.
Testing and validating images before making them available to DevOps teams.
Tracking which image each DevOps team uses.
Enforcing company standards without degrading productivity.
Ensuring that DevOps teams use the latest image versions.
Managing the compliance of pet servers, which are maintenance intensive, and cattle servers, which are easily replaceable.
Architecture
The solution consists of two processes:
The golden image publishing process
The process of tracking VM compliance
The golden image publishing process runs monthly and contains these steps:
1. The process captures a base image from Azure Marketplace.
2. VM Image Builder customizes the image.
3. The process of image tattooing tracks image version information like the source and publish date.
4. Automated tests validate the image.
5. If the image fails any tests, it returns to the customization step for repairs.
6. The process publishes the finalized image.
7. Compute Gallery makes the image available to DevOps teams.
The process of tracking VM compliance contains these steps:
1. Azure Policy assigns policy definitions to VMs and evaluates the VMs for compliance.
2. Azure Policy publishes compliance data for the VMs and other Azure resources to the Azure Policy dashboard.
Components
VM Image Builder is a managed service for customizing system images. This service builds and distributes the images that DevOps teams use.
Compute Gallery helps you structure and organize custom images. By storing images in repositories, this service provides controlled access to the images. Users can be within and outside your organization.
Azure Policy offers policy definitions. You can use these definitions to enforce your organization's standards and to assess compliance at scale. The Azure Policy dashboard displays results from Azure Policy evaluations. This data keeps you informed about the compliance status of your resources.
The guest configuration feature of Azure Policy provides a way to dynamically audit or assign configurations to machines through code. The configurations generally include environment or operating system settings.
Alternatives
You can use a third-party tool to manage compliance. But with this type of tool, you usually need to install an agent on the target VM. You also may have to pay a licensing fee.
You can use custom script extensions for installing software on VMs or configuring VMs after deployment. But each VM or virtual machine scale set can only have one custom script extension. And if you use custom script extensions, you prevent DevOps teams from customizing their applications.
Approach
Identify pets and cattle
DevOps teams use an analogy called pets and cattle to define service models. To track a VM's compliance, first determine whether it's a pet or cattle server.
Restrict images
Don't allow DevOps teams to use Azure Marketplace VM images. Only allow VM images that Compute Gallery publishes. This restriction is critical for ensuring VM compliance. You can use a custom policy in Azure Policy to enforce this restriction.
Customize images
A golden image is the version of a marketplace image that's published to Compute Gallery. Golden images are available for consumption by DevOps teams.
Track image tattoos
Image tattooing is the process of keeping track of all image versioning information that a VM uses. This information is invaluable during troubleshooting and can include:
The original source of the image, such as the name and version of the publisher.
The operating system version string, which you need if there's an in-place upgrade.
The version of your custom image.
You publish date
Validate golden images with automated tests
Use a recurrent testing procedure for this purpose. As part of the image creation process, use an Azure pipeline or other automated workflow for testing. Set up the pipeline to deploy a new VM for running tests before the beginning of each month. The tests should confirm pared images before publishing them for consumption.
Publish golden images
Publish final images on Compute Gallery as a managed image or as a virtual hard disk (VHD) that DevOps teams can use. Mark any earlier images as aged. If you haven't set an end-of-life date for an image version in Compute Gallery, you might prefer to discontinue the oldest image.
Refresh golden images
When an image is used for an application, it can be hard to update the underlying operating system image with recent compliance changes. Strict business requirements can complicate the process of refreshing the underlying VM. Refreshing is also complex when the VM is critical to the business
Improve visibility
Generally, you should use Azure Policy to manage any control-plane compliance activity. You can also use Azure Policy for:
Tracking VM compliance.
Installing Azure agents.
Capturing diagnostic logs.
Improving the visibility of VM compliance.
Considerations
Keep the following points in mind when you implement this solution.
Scalability considerations
You can configure the number of replicas that Compute Gallery stores of each image. A higher number of replicas minimizes the risk of throttling when you provision multiple VMs simultaneously. For general guidance on scaling and configuring an appropriate number of replicas.
Resiliency considerations
This solution uses managed components that are automatically resilient at a regional level. For general guidance on designing resilient solutions.
Pricing
Unless you use a third-party service such as Ansible or Terraform, this approach is nearly free of charge. Storage and egress costs might apply. Other potential charges involve these components:
Azure Policy and Azure Policy guest configuration are free of charge for Azure resources. If your company uses a hybrid approach, there are extra charges for Azure Arc resources.
During the public preview period, VM Image Builder is using a single compute instance type with 1 vCPU and 3.5 GB of RAM. Charges might apply for data storage and transfer.
Compute Gallery has no charges except:
o The cost of storing replicas.
o Network egress charges for replicating images.