Customize your cloud VMs with Azure Image Builder

Create custom images for your virtual infrastructure that automatically follow your security policy.

Picture: Microsoft

One of the big advantages of using cloud IaaS is convenience; you can launch a virtual machine whenever you need it, scale it, pause it or throw it away. But larger organizations want the VMs they use in the cloud to have security and configuration settings that match their own policies (and perhaps pre-install some specific apps they’ve created or licensed) , which the default gallery images won’t do. Running scripts to customize these default images takes time; if it takes 10 minutes to install and configure the software, doing it with a script is just too slow if you want to scale a workload on demand.

“Enterprise customers would rather have a ‘golden’ image (an image that meets all of their organizational requirements) that they can reuse when deploying additional VMs rather than deploying additional VMs and then running a provisioning script after deployment,” Microsoft said. Reusing an image makes scaling faster and more reliable while respecting policy. And once you have the process for creating images in place, you can easily rebuild them regularly to include OS and application updates.

SEE: Windows 11: Tips on Installation, Security, and More (Free PDF) (TechRepublic)

But building and managing your own image pipeline to build those custom images means running additional infrastructure and managing additional software. Azure Image Builder offers this to you as a cloud service. You get custom images that adhere to your security and management policies for the virtual infrastructure you’re leveraging in the cloud, and you don’t have to learn tricky imaging pipelines and processes.

Choose your source image, create a model with the image configuration (reusing existing commands, scripts and build artifacts if you already have an image creation process or pull them from different places so that you don’t have to collect them in one place to run the release) and get an image or VHD that matches your compliance rules.

AIB includes role-based access control so you can choose who has access to the images and while they can create a VNET, public IP address, and network security group to communicate with the VM creating the image. ‘picture. But if you have an existing VNET with resourcesincluding configuration servers using Ansible, Chef, Puppet, DSC or similaryou can specify that instead and not use a public IP address at all.

Pack your policy configuration

AIB started as a feature on Azure blue Kubernetes Service that used Hashicorp Packer to create VHD images. Azure also supports using the popular cloud-init technology to create Linux images from Azure Resource Manager templates, for example if you are automate the creation of an image to run Azure IoT Edge Duration. “Packer is a bit more sophisticated than cloud-init (consider it a super bundle) and can also be used to install IoT Edge on custom VM images,” Microsoft said.

AIB turns this into a service, with flexible options on how you share images. You start with Windows or Linux images, from Azure Marketplace or existing custom images, and add your own customizations, whether it’s configuration choices, file copying or app installation (including rebooting the image if the installation requires it).

Recent versions of Ubuntu, RHEL, CentOS, SLES, Windows, and Windows Server have been tested, but Microsoft said it should work with any Linux or Windows image, and if you already have a custom image, you can use AIB to fix it using Linux or Windows Update commands. Windows Update Customizer is based on open source Community Windows Update Provisioner for Packer.

You can use familiar commands like Sysprep (or waagent for Linux images) and copy files to the image from a GitHub report or Azure storage. If you are downloading large files, you may prefer to script and use wget, curl or Invoke-WebRequest on Windows.

For Windows VMs you can use PowerShell scripts to customize the image. Currently, you can only use shell scripts (including any Packer shell provider scripts you already own) to customize Linux virtual machines; When we asked about PowerShell support, Microsoft only replied that “the team is always taking feature requests from customers.”

You can create images for specialized VM sizes, including creating images for GPU VMs.

The cost of AIB is only the VMs, storage, and networking used to create your images each time; you would need this infrastructure no matter how you build images, and AIB is probably more efficient than a pipeline you build yourself. Microsoft tells us that IT admins used to creating images for on-premises infrastructure shouldn’t find AIB difficult. “The only confusion may be in finding logs for failed AIB runs, which are in the storage account created in the IT_ resource group for their image. Customers will also need to know more about how the pipelines work build and release because DevOps has a specific feature where build bits are embedded into the image to run customizations on it.

SEE: Office 365: A guide for business and technology leaders (free PDF) (TechRepublic)

You can distribute the images you create with AIB as a shared image through Azure Compute Gallery. This allows you to version images and replicate them to different Azure regions, ready to be used for VMs and VM scale groups. You can also create a managed image in an Azure storage account and use a policy to determine who has access. Or you can generate a VHD and distribute it any way you want: via Azure Storage, publishing it to Azure Marketplace, copying it to Azure Stack infrastructure, or any other way you currently share. HDV.

If you’re looking for samples on how to get the most out of AIB, you can get Azure Resource Manager samples from this model repository which use parameters that you can fill in with your own details.

If you want to integrate this part of a CI/CD pipeline, there are examples for call AIB from a GitHub action and distribute the images created by the workflow. Or you can run the Azure DevOps task which uses AIB to inject build artifacts into a virtual machine as part of a DevOps pipeline (although it doesn’t support Windows restarts, so it’s more convenient for Linux VMs because you’ll need several extra steps to use it for Windows VMs). The AIB DevOps task also only supports one inline script customizer and does not yet support Gen2 images.

AIB is also useful for creating custom images for Azure Virtual Desktopfor patching and image lifecycle management, Microsoft points out.

“Today, a significant percentage of AVD session hosts are created using custom images, with the typical customer having to patch their ‘Golden’ image once a month with the latest feature and security updates. . For this reason, Azure Image Builder can play a key role here by providing AVD customers with an efficient way to maintain a “Golden” image without having to manually apply customizations or patch updates. »

About Jon Moses

Check Also

Intel promises “substantial contributions” to the growth of RISC-V • The Register

Analysis Here’s something that would have seemed odd just a few years ago: to help …