Increased security and resiliency of Canonical workloads on Azure - General Availability
Published May 02 2024 01:10 PM 850 Views
Microsoft

Azure customers running Ubuntu workloads are now secure-by-default through consistent application of patches on Automatic VM Guest Patching via Safe Deployment Practices (SDP). Customers receive an Azure-driven package payload, enhancing security and resiliency across all regions and update cycles. It marks a significant advancement in providing a seamless and secure update experience, minimizing compatibility issues and elevating customer satisfaction. 

 

Azure's collaboration with Canonical is redefining the industry benchmark for safely patching Linux distributions in the cloud. This partnership underscores Azure’s commitment to customer security since Ubuntu images are a significant presence on Azure. The snapshot capability allows for uniform updates across VM fleets, making Azure the first cloud provider to offer such a homogeneous update experience across regions. 

 

Scalable reliability through Auto Patching

 

No action is required for customers that have enabled Auto Patching through Azure Guest Patching Service (AzGPS). The platform will install a package that is snapped to a point-in-time by default. In the event a snapshot-based update cannot be installed the platform will install the latest update to ensure the VM is secured. Customers can view the published-date information related to the update in Azure Resource Graph and the Instance View of the VM. The figure below highlights the difference between the current orchestration process and the expected reliability with snapshots.

 

Azure orchestration without snapshots

    

maulikshah23_0-1714650137908.png

Today, each region gets the latest package as updates are applied across regions.

 

 Scalable Reliability with Canonical Snapshots

 

maulikshah23_1-1714650137938.png

Azure Guest Patching Service will now apply the same package update from a specific date to all regions due to the integration with Canonical’s snapshot service.


Enabling the snapshot capability on Azure Guest Patching Service 

 

Azure Guest Patching Service: Enable Auto Guest Patching either through PowerShell or CLI for your existing VMs or select “Azure Orchestration” during new VM creation in the Azure portal. There is no action required for customers that have already enabled Auto Guest Patching on their VM and VM Scale Sets. This capability is currently available for Single Instance VMs and VM Scale Set Flexible Orchestration.

 

Summary

Customers of Azure Guest Patching will receive snapshot-based updates for a single point-in-time across their Canonical workloads by following safe deployment principles, by default. This is a game changer for Azure customers, since the platform can orchestrate updates and keep the updates in sync across regions. Azure is simplifying the way customers keep their assets secure, allowing homogeneity across customers’ fleet, and reducing the impact newer updates may have on customer workloads. 

 

Co-Authors
Version history
Last update:
‎May 07 2024 01:05 PM
Updated by: