Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
Traditional Infrastructure as a Service (IaaS) only provides you with servers, networking, and storage. You are responsible for the VM; as far as the provider is concerned, it’s a black box. Interestingly, Microsoft has changed that approach with the addition of an agent to your VMs in Azure, which provides extensions to enhance the functionality of your machines.
Installing the Azure VM agent ^
When you create a new machine in the current console (from Gallery, not Quick Create), simply click Install the VM Agent. This accesses the three management extensions (Chef, Puppet, and Custom Script) and offers a trio of antimalware options, including Microsoft Antimalware, Symantec Endpoint Protection, and the Trend Micro Deep Security agent (do they sell a shallow one as well?). The AV options are mutually exclusive, whereas you can use the management options together if you need to.
Enabling the Azure VM agent with a Custom Script
If you have an existing VM where you want to install the Azure VM agent, follow these steps. This post also covers the scenario where you create your own VHD on premises and then upload it to Azure.
Note that regulations or other corporate rules might prevent you from running the agent in a VM. Make sure you create the VM without the agent. Removing the agent from a VM with extensions enabled might cause instability and is not supported.
Azure VM extensions ^
After you install the VM agent, you can enable one or more extensions to unlock additional functionality in your VMs.
If you manage to lock yourself out of a Linux or Windows Azure VM by forgetting your username and/or password, your options prior to installation of the VM agent were limited. Now there’s a VM access extension that lets you reset the password of a Windows VM using PowerShell and reset the SSH key or password for a Linux VM. If you’ve messed up RDP access to the VM, you can also fix that through this extension.
The most basic use of extensions is enabling BGinfo which displays information about the computer on the desktop’s background. This can be very useful, when you’re remoting into multiple VMs in Azure, to keep track of which machine you’re on and what its settings are. Note that it’s not possible (yet) to customize BGinfo as you can when you use it on your own VMs.
If you’re using Windows Azure Pack on premises, you might have encountered the VM Role Authoring Tool, which you can use to create customized types of IaaS VMs through VMM 2012 R2 for your internal clients. Interestingly, you can use the Microsoft Enterprise Application Extension Handler in both your own VM roles that you create as well as for VMs running in Azure. The end result is that you can more easily port applications from on-premises locations to Azure (and back).
The Custom Script extension is the second most powerful extension. It allows you to run a single PowerShell script, or a series of scripts, on one or multiple VMs from Azure storage containers. This also means that you no longer need to open ports on your Azure VMs for PowerShell remoting. This article covers how to use Azure Automation to run commands on your VMs. Another way to use this extension is to install Chocolatey (a package manager for Windows, similar to the Linux apt-get) and then install the applications you need in your VM.
The PowerShell Desired State Configuration (DSC) extension is the most powerful one. It enables you to deploy and manage your Azure VM configurations. Currently, this is only possible on Windows Server 2012 R2 VMs (because DSC relies on Windows Management Framework v5), but it clearly opens a lot of possibilities for automated configuration and management.
If you’re using Azure for High Performance Computing (HPC), probably with the A8 and A9 size VMs, you can use the HPCVMDrivers extension to enable (or disable) the RDMA 32 Gbit/s interface for cluster node communication.
Antimalware agents ^
You can select one of three optional AV agents (see below). Note that, if your company has standardized on another antimalware tool, there’s the option to upload your own image to Azure or host an install share using Azure Files and install your AV software from there.
Microsoft Antimalware can run both on IaaS VMs and PaaS web and worker role VMs, and it’s free. You can exclude folders, processes, and file extensions from scanning (necessary if you’re running a DC in Azure, for instance) and configure scheduled scans and real-time protection.
Symantec Endpoint Protection (SEP) is a 60-day trial that you can manage with your on-premises Symantec infrastructure. To license SEP, use your existing license mechanisms on premises.
The absolute coolest security extension (first announced at TechEd NA 2014) is CloudLink SecureVM, which uses BitLocker to protect both OS and data disks for your VMs, with the option of storing the keys in Active Directory or RSA’s Data Protection Manager. Trend Micro SecureCloud provides similar functionality, including giving you control over where the keys are stored.
VM configuration and management ^
You can also add extensions for automated management and configuration, such as Puppet and Chef, to your VMs. If you’re using these frameworks to manage your servers today, it’s logical to add your Azure applications and workloads to the same management framework. For Puppet, you need to define your Master Server; for Chef, you add your validation key and Client.rb file.
In true Microsoft fashion, running VMs on Azure provides a lot of different options and flexibility, and the expanding range of extensions certainly makes it easier to adapt your VMs it to your particular requirements. If you’re learning about Azure and haven’t yet explored the VM agent and the possibilities it brings, spend some time experimenting.