cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Internet connectivity for Azure VM updates?

shamik-ghosh
Copper Contributor

‎Jun 04 2021 11:19 AM

‎Jun 04 2021 11:19 AM

Internet connectivity for Azure VM updates?

We have two Windows Server 2019 VMs in Azure, and both have 1x public IP address, and 1x private ip address. The private IP address is on a VNET that has no route out to the internet. These VMs were set up with the Automatic updates enabled, and I have seen on both VMs that Windows Update client has been updating the OS successfully. We have no internal WSUS.

 

Is internet connectivity required for the Guest OS to perform updates from the Microsoft Updates, or is there connectivity provided via the internal Azure fabric? Basically, if we were to remove the public IP address, I assume the Windows Update client on the Guest OS would no longer be able to update, since the private IP has no way out to the internet?

 

Does the same apply if we decided to use Azure Update Management? Reading the tech docs on Azure Update Management, I'm led to believe that would also need internet connectivity to the Azure Update Management endpoints, so would that mean, again, removing the public IP address would stop that working?

Labels:
5,692 Views
0 Likes
3 Replies
Reply
3 Replies
Schnittlauch

‎Jun 06 2021 02:35 PM

‎Jun 06 2021 02:35 PM

Re: Internet connectivity for Azure VM updates?

Hi @shamik-ghosh ,

this is a tricky but a tbh very good question. I searched a lot, but I didn't found a 100% clearly solution.
If you have a Platform as a Service (PaaS) solution, this should work and there is no need of a public IP to get Updates (Just a guess).

If you don't find further information, I would recommend you to "pentest" it. Next Tuesday is Patchday, so you can check if you get updates.

Maybe not the best solution but maybe anyone else has an idea :)

Best regards,
Schnittlauch

"First, No system is safe. Second, Aim for the impossible. Third no Backup, no Mercy" - Schnittlauch

My answer helped you? Don't forget to leave a like. Also mark the answer as solved when your problem is solved. :)
0 Likes
Reply
best response confirmed by Gregor Reimling (MVP)
Luke Murray

‎Jun 11 2021 12:53 AM

‎Jun 11 2021 12:53 AM

Solution

Re: Internet connectivity for Azure VM updates?

Internet connectivity is required for Azure Update Management, Azure Update Management, acts as the management later, updates aren't distributed directly via the Azure fabric.

You need to have a route out to the internet: 0.0.0.0/0 (it's a default route that should be there, unless it has been overwritten to point to a network appliance such as Azure Firewall, or directed to some kind of proxy). Azure Virtual Machines, don't need Public IP addresses to access the internet, theoretically, if the routes for the internet are there and nothing is blocking the traffic, even without a public IP - it should work.
1 Like
Reply
Schnittlauch

‎Jun 11 2021 04:03 AM

‎Jun 11 2021 04:03 AM

Re: Internet connectivity for Azure VM updates?

@Luke Murray thanks for sharing your knowledge!
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Gregor Reimling (MVP)
Luke Murray

‎Jun 11 2021 12:53 AM

‎Jun 11 2021 12:53 AM

Solution

Re: Internet connectivity for Azure VM updates?

Internet connectivity is required for Azure Update Management, Azure Update Management, acts as the management later, updates aren't distributed directly via the Azure fabric.

You need to have a route out to the internet: 0.0.0.0/0 (it's a default route that should be there, unless it has been overwritten to point to a network appliance such as Azure Firewall, or directed to some kind of proxy). Azure Virtual Machines, don't need Public IP addresses to access the internet, theoretically, if the routes for the internet are there and nothing is blocking the traffic, even without a public IP - it should work.

View solution in original post

1 Like
Reply