top of page

Build and manage virtual machine compliance

Each enterprise has its own compliance regulations and standards. Regarding security, each company has its own risk appetite. Security standards can differ from one organization to another and from one region to another.

Following differing standards can be more challenging in dynamically scaling cloud environments than in on-premises systems. When teams use DevOps practices, there are usually fewer restrictions on who can create Azure resources like virtual machines (VMs). This fact complicates compliance challenges.

By using Azure Policy and role-based access control assignments, enterprises can enforce standards on Azure resources. But with VMs, these mechanisms only affect the control plane, or the route to the VM. The system images that run on a VM still pose a security threat. Some companies prevent developers from accessing VMs. This approach impairs agility, making it difficult to follow DevOps practices.

This article presents a solution for managing the compliance of VMs that run on Azure. Besides tracking compliance, the solution also minimizes the risk from system images that run on VMs. At the same time, the solution is compatible with DevOps practices. Core components include Azure VM Image Builder, Azure Compute Gallery, and Azure Policy.

Potential use cases

This solution applies to organizations with Azure landing zones that complete these tasks:

  • Supplying golden images to DevOps teams. A golden image is the published version of a marketplace image.

  • Testing and validating images before making them available to DevOps teams.

  • Tracking which image each DevOps team uses.

  • Enforcing company standards without degrading productivity.

  • Ensuring that DevOps teams use the latest image versions.

  • Managing the compliance of pet servers, which are maintenance intensive, and cattle servers, which are easily replaceable.


The solution consists of two processes:

  • The Golden Image publishing process

  • The process of tracking VM compliance

Golden image publishing process

The golden image publishing process runs monthly and contains these steps:

1. The process captures a base image from Azure Marketplace.

2. VM Image Builder customizes the image.

3. The process of image tattooing tracks image version information like the source and publish date.

4. Automated tests validate the image.

5. If the image fails any tests, it returns to the customization step for repairs.

6. The process publishes the finalized image.

7. Compute Gallery makes the image available to DevOps teams.

Tracking virtual machine compliance

The process of tracking VM compliance contains these steps:

1. Azure Policy assigns policy definitions to VMs and evaluates the VMs for compliance.

2. Azure Policy publishes compliance data for the VMs and other Azure resources to the Azure Policy dashboard.


  • VM Image Builder is a managed service for customizing system images. This service builds and distributes the images that DevOps teams use.

  • Compute Gallery helps you structure and organize custom images. By storing images in repositories, this service provides controlled access to the images. Users can be within and outside your organization.

  • Azure Policy offers policy definitions. You can use these definitions to enforce your organization's standards and to assess compliance at scale. The Azure Policy dashboard displays results from Azure Policy evaluations. This data keeps you informed about the compliance status of your resources.

  • The guest configuration feature of Azure Policy provides a way to dynamically audit or assign configurations to machines through code. The configurations generally include environment or operating system settings.


  • You can use a third-party tool to manage compliance. But with this type of tool, you usually need to install an agent on the target VM. You also may have to pay a licensing fee.

  • You can use custom script extensions for installing software on VMs or configuring VMs after deployment. But each VM or virtual machine scale set can only have one custom script extension. And if you use custom script extensions, you prevent DevOps teams from customizing their applications.

Benefits of Image Gallery

Effortless Collaboration 

Say goodbye to the days of manually distributing VM images and chasing down approvals. Image Gallery empowers you to effortlessly share images with authorized users within your organization. This fosters seamless collaboration between development and operations teams, accelerating deployment pipelines.

Global Reach

Break free from geographical constraints. Image Gallery shatters regional barriers, allowing you to distribute your VM images across various Azure regions. This ensures your applications are readily available wherever you need them, enabling rapid deployments for geographically dispersed teams.

Global Reach

Granular Access Control

Security at Your Fingertips Maintain complete control over who can access and utilize your images. Image Gallery integrates seamlessly with Azure Active Directory (AAD), allowing you to define precise access permissions for different user groups. This ensures that only authorized personnel can interact with your images, safeguarding your valuable resources.

Azure Active Directory (AAD)

Image Gallery leverages the robust security features of Azure Active Directory (AAD) to manage access permissions with precision. Here's how it ensures your images remain in safe hands:

User Groups and Permission-Based Roles

Define user groups within your AAD tenant and assign specific roles within the Image Gallery. These roles determine the level of access users have to image versions. You can grant read-only access for viewing image details, or assign full control for publishing updates and managing image versions.

Granular Control at Your Discretion

Image Gallery offers a high degree of granularity regarding access control. You can define exactly who can view image details, create new image versions, or delete existing ones. This ensures that only authorized personnel can interact with your images, safeguarding your development environment.


Identify pets and cattle

DevOps teams use an analogy called pets and cattle to define service models. To track a VM's compliance, first determine whether it's a pet or cattle server.

Restrict images

Don't allow DevOps teams to use Azure Marketplace VM images. Only allow VM images that Compute Gallery publishes. This restriction is critical for ensuring VM compliance. You can use a custom policy in Azure Policy to enforce this restriction.

Customize images

A golden image is the version of a marketplace image that's published to Compute Gallery. Golden images are available for consumption by DevOps teams.

Track image tattoos

Image tattooing is the process of keeping track of all image versioning information that a VM uses. This information is invaluable during troubleshooting and can include:

  • The original source of the image, such as the name and version of the publisher.

  • The operating system version string, which you need if there's an in-place upgrade.

  • The version of your custom image.

  • You publish date

Validate golden images with automated tests

Use a recurrent testing procedure for this purpose. As part of the image creation process, use an Azure pipeline or other automated workflow for testing. Set up the pipeline to deploy a new VM for running tests before the beginning of each month. The tests should confirm pared images before publishing them for consumption.

Publish golden images

Publish final images on Compute Gallery as a managed image or as a virtual hard disk (VHD) that DevOps teams can use. Mark any earlier images as aged. If you haven't set an end-of-life date for an image version in Compute Gallery, you might prefer to discontinue the oldest image.

Refresh golden images

When an image is used for an application, it can be hard to update the underlying operating system image with recent compliance changes. Strict business requirements can complicate the process of refreshing the underlying VM. Refreshing is also complex when the VM is critical to the business

Improve visibility

Generally, you should use Azure Policy to manage any control-plane compliance activity. You can also use Azure Policy for:

  • Tracking VM compliance.

  • Installing Azure agents.

  • Capturing diagnostic logs.

  • Improving the visibility of VM compliance.


Keep the following points in mind when you implement this solution.

Scalability considerations

You can configure the number of replicas that Compute Gallery stores of each image. A higher number of replicas minimizes the risk of throttling when you provision multiple VMs simultaneously. For general guidance on scaling and configuring an appropriate number of replicas.

Resiliency considerations

This solution uses managed components that are automatically resilient at a regional level. For general guidance on designing resilient solutions.


Unless you use a third-party service such as Ansible or Terraform, this approach is nearly free of charge. Storage and egress costs might apply. Other potential charges involve these components:

  • Azure Policy and Azure Policy guest configuration are free of charge for Azure resources. If your company uses a hybrid approach, there are extra charges for Azure Arc resources.

  • During the public preview period, VM Image Builder uses a single compute instance type with 1 vCPU and 3.5 GB of RAM. Charges might apply for data storage and transfer.

  • Compute Gallery has no charges except:

o The cost of storing replicas.

o Network egress charges for replicating images.

1 view0 comments

Recent Posts

See All


bottom of page