Patching in Azure

 Patching in Azure

 

What is patching?

A patch is a series of modifications to a computer program or its supporting data that are intended to update, correct, or improve it.

This includes patching security flaws and defects, which are commonly referred to as bugfixes. Patches are frequently released to improve a program's functionality, usability, and performance. For operating system and application upgrades, the bulk of patches are given by software providers.

Patches can be installed using a debugger or an editing tool. They can be used on software files stored on a hard drive, a storage device, or in computer memory. Patches can be long-term or short-term.

Poorly constructed patches, while intended to solve issues, can occasionally introduce new ones. In rare cases, updates may purposefully destroy or deactivate a device, such as by deleting components for which the update provider no longer has a license.

Patch management is a subset of lifecycle management and refers to the process of determining which patches should be deployed to which systems at what time.

 

Patching for Azure VMs

Enabling automated VM guest patching for your Azure VMs simplifies update management by patching virtual machines securely and automatically to ensure security compliance.

The following are the features of these azure patches:

• Critical and security patches are automatically downloaded and installed on the VM.

• Patches are applied during the VM's peak-off hours; azure manages the patch arrangement, and patches are deployed using availability-first principles.

• Patch failures are detected by monitoring the health of VMs as determined by platform health signals.

• Compatible with all virtual machines

Automatic VM guest patching is the most recent and best approach to patch your device or system.

How does this Automatic VM Guest Patching work?

When automated VM guest patching is enabled on a VM, all critical and security patches are automatically downloaded and applied to the VM. When fresh patches are issued every month, this procedure begins automatically. Patch evaluation and installation are automated, and the procedure involves restarting the virtual machine as needed.

To identify the appropriate patches for that VM, it is tested every few days and numerous times within each 30-day period. The fixes can be applied to the VM at any time during off-peak hours.

Patches are applied within 30 days after the publication of the monthly patch. Patches are only applied during the VM's peak-off hours, which vary based on the time zone.

For the automated patch updates to be installed, the VM must be running during off-peak hours. If a VM is turned off during a periodic assessment, it will be automatically assessed and any necessary patches will be applied during the following periodic assessment.

Updates to definitions and several other changes are not considered important, thus they will not be installed automatically. You can utilize Update Management to install patches with different patch classifications or to schedule a patch installation.

 

Availability-first principle

Azure has access to the patch installation procedure for all VMs that have Automatic VM Guest Patching enabled. This rating adheres to the availability-first approach across Azure's various degrees of availability.

Azure will conduct the following upgrades for a group of computers undergoing an update:

Across regions:

To avoid global deployment problems, a monthly update is distributed in a gradual manner throughout the Azure platform.

A phase can have one or more regions, and an update can only proceed to the next phase if all eligible VMs in that phase have been successfully updated.

The health of the VMs after an update is used to determine the update's success. The health of the VM is monitored via health indicators.

Within a region

The same update is not applied to VMs in various time zones at the same time.

To prevent synchronized updates for all the VMs in a subscription, VMs that are not part of an availability set are batched on a best-effort basis.

The patch installation date for a particular VM may change from month to month, as specific VMs may be picked up in a different batch between monthly patching rounds.

 

Which/What patches are mounted?00A0

The fixes installed are determined by the VM deployment stage. Every month, a new global rollout begins, in which all security and critical fixes that have been reviewed for an individual VM are deployed. The rollout is done in batches across all Azure regions.

The precise patch set to be installed depends on the VM setup, such as the OS type and computation timing.

It is quite likely that two identical VMs in different areas will receive different patches if there are more or fewer patches available when the patch is sent to various regions at different times. VMs in the same area but assessed at separate times may also receive different patches, but this happens less commonly.

VMs configured to the public repository for the OS should expect to get the same set of patches across the multiple rollout phases in a month for Operating System types that release fixes on a predetermined cycle.

 

Windows VMs configured to the public Windows Update Repository, for example. If a VM is switched on during off-peak hours, it will receive at least one patch rollout each month, as fresh rollouts are triggered every month. On a monthly basis, this method guarantees that the VM is patched with the latest available security and critical updates. You may arrange your VMs to review and download fixes from your own private repositories to ensure consistency in the patch set deployed.

Requirements for enabling automatic VM guest patching

·         The Azure VM Agent for Windows or Linux must be installed on the virtual machine.

·         The Azure Linux agent must be version 2.2.53.1 or above for Linux VMs. If the current version of the Linux agent is less than the needed version, it should be updated.

·         The Windows Update service must be operating on the virtual machine for Windows VMs.

·         The virtual machine must be able to connect to the update endpoints that have been specified. The required update endpoints must be available if your virtual machine is set to use private repositories for Linux or Windows Server Update Services (WSUS) for Windows VMs.

·         To access complete features, including on-demand evaluation and patching, use the Compute API version 2021-03-01 or above.

·         Custom pictures are currently unavailable.