This blog has been co-authored by Maulik Shah, Senior Product Manager, Azure Compute
Linux-based operating systems (OS) routinely receive daily security updates to combat vulnerabilities. However, organizations often struggle with testing and applying the latest updates across their fleet at the same rate that updates are released. Additionally, it is not possible to point to a single update to apply across multiple regions, since Linux publishers do not support a release date. When updates are rolled out gradually, an organization may end up with different versions of the same update applied across its environment. This can increase the risk of a particular update impacting workloads if it has not been thoroughly tested beforehand.
Microsoft and Canonical have partnered to make it easier for our customers to stay current with OS updates and increase the security and resiliency of their workloads on Azure. Azure is the first cloud provider to collaborate with Canonical to integrate its snapshot service. Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS) OS Security Channel will leverage the new capability to apply the same update consistently on a customer’s fleet across regions via Safe Deployment Practices (SDP).
“We’re thrilled to announce that Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS) are the industry’s first cloud-native management platforms to collaborate with Canonical on the new repo snapshot functionality. With this new capability, AzGPS and AKS will extend Azure’s vision of providing comprehensive security solutions to our Linux customers without compromising reliability on Azure VM, Virtual Machine Scale Sets (VMSS) and AKS nodes. By applying the same patch payload across customer VMs while leveraging safe deployment principles (SDP) and health awareness, we are able to bring customer deployments seamlessly and safely to a consistent security level.” – Arun Kishan, Corporate Vice President & Technical Fellow, Azure Core Compute & Host
"We are pleased to announce that Canonical is the first Linux provider to integrate a snapshot service for cloud management and update reliability with Azure. In collaboration with Microsoft, this service simplifies the complex landscape of system updates, offering administrators a new standard for predictability and consistency. Through an integration with Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS) OS Security channel, we enhance the resilience and security of Ubuntu workloads on Azure VM, Virtual Machine Scale Sets (VMSS) and AKS Nodes. This first-of-its-kind offering enables Linux users to implement Safe Deployment Practices with minimal effort, reinforcing Ubuntu as a dependable choice for cloud deployments." – Alex Gallagher, VP of Cloud
Scalable reliability through Auto Patching
There is no action required for customers that have enabled Auto Patching through Azure Guest Patching Service (AzGPS) or Azure Kubernetes Service (AKS) OS Security Channel (currently in preview), for AKS users leveraging other channels they can start testing these new capabilities in their environments. The platform will install a package that is snapped to a point-in-time by default. In the event a snapshot-based update cannot be installed. Customers can view the published-date information related to the update in Azure Resource Graph and the Instance View of the VM, or on the node information for AKS. The figure below highlights the difference between the current orchestration process and the expected reliability with snapshots.
Azure orchestration without snapshots
Today, each region gets the latest package as updates are applied across regions.
Scalable Reliability with Canonical Snapshots
Azure Guest Patching Service and AKS will now apply the same package update from a specific date to all regions due to the integration with Canonical’s snapshot service.
Enabling the snapshot capability on Azure Guest Patching Service and Azure Kubernetes Service
Customers of Azure Guest Patching and Azure Kubernetes Services will receive snapshot-based updates from November 2023. If the snapshot-based updates fail to install after a few attempts, the platform will apply the latest security package to keep the VMs and containerized workloads secure.
Azure Guest Patching Service: Enable Auto Guest Patching either through Powershell or CLI for your existing VMs or select “Azure Orchestration” during new VM creation in the Azure portal. There is no action required for customers that have already enabled Auto Guest Patching on their VM and VM Scale Sets. This capability is currently available for Single Instance VMs and VM Scale Set Flexible Orchestration.
Azure Kubernetes Service: Azure Kubernetes Service: Enable Node OS Auto Upgrade Security Patch channel through CLI, Bicep or Terraform for new or existing clusters. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings for that cluster.
Summary
Customers of Azure Guest Patching and Azure Kubernetes Services will receive snapshot-based updates for a single point-in-time across their and containerized workloads for their Canonical images by following safe deployment principles. This is a game changer for Azure customers, since the platform can orchestrate updates and keep the updates in sync across regions. Azure is simplifying the way customers keep their assets secure, allowing homogeneity across customers’ fleet, and reducing the impact newer updates may have on customer workloads. Enable Auto Patching on your VMs, VM Scale Sets, and containerized workloads to take advantage of scalable reliability on your fleet.
