In this guest blog post, Mia LaVada, a product manager at the Center for Internet Security (CIS), explains how to ensure Linux image performance and availability in Microsoft Azure.
Cloud computing offers many benefits for your business. Cloud infrastructure makes sense for both small organizations and large enterprises interested in taking advantage of modern security solutions and flexible computing power. With Microsoft Azure, you can go beyond the limits of on-premises datacenters with more regions than any other provider.
But just being established in the cloud isn’t the end of the mission. You must ensure the performance and availability of your applications and services in Microsoft Azure to fully reap many of the cloud computing benefits. For example:
We at the Center for Internet Security understand the importance of performance and availability for your cloud environments. That’s why we’ve partnered with the Microsoft Azure team to test CIS Hardened Images for Linux using Azure Monitor Agent (AMA). We explore what this compatibility means for you below.
Visualizing performance and availability in Microsoft Azure
Azure Monitor is a service that helps you evaluate the availability and performance of your applications and services in Microsoft Azure. It uses telemetry to provide you with an overview of your applications. With that information, you can proactively remediate issues that undermine the availability and performance of your apps and their dependent resources.
A high-level view of Azure Monitor. (Source: Microsoft Azure)
In the past, Azure Monitor employed legacy monitoring agents for data collection. Now Azure Monitor Agent does that work. First, it gathers data from the guest operating systems of Azure and hybrid virtual machine images. It then feeds that data into Azure Monitor, where it informs insights and other services such as Microsoft Sentinel.
As noted in its documentation, AMA sends various types of information to Azure Monitor. These include logs, or events that occurred within the system, and traces, or series of related events that follow a user request through a distributed system. These and other pieces of data help you monitor the health and performance of Azure virtual machines (VMs) at scale, including Linux VMs.
Helping you make the most of CIS Hardened Images for Linux
Overall, the process of testing the CIS Hardened Images for Linux went smoothly. The Azure team made a few tweaks to AMA throughout the investigation with CIS to account for the differences across various Linux distributions. Even so, there weren't any issues in which the AMA functionality was degraded when installed on a CIS machine.
When the Azure team made changes to AMA, it did so for failures to comply with the CIS Benchmarks settings post-AMA install. Primarily, these changes involved file/directory ownership (overly lax permissions) and network setup of an AMA sub-component (it was listening on all interfaces rather than loopback).
With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for the following CIS Benchmarks:
What’s more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new AMA versions become available. This ensures no AMA functionality regression, thereby helping you maintain the performance and availability of these pre-hardened virtual machine images for Linux.
An ongoing commitment
CIS is committed to working with Microsoft to make products more secure and available on a variety of Linux environments, benchmarks, and settings. To that end, we are glad to announce the compatibility of AMA and CIS Hardened Images for Linux.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.