Design and Build Azure Automation update management

We can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux virtual machines in Azure, physical or VMs in on-premises and other cloud environments. You can quickly assess the status of available updates and manage the process of installing required updates for your machines, reporting to Update Management.

Microsoft offers other capabilities to help you manage updates for your Azure VMs or Azure virtual machine scale sets that you should consider as part of your overall update management strategy.

• If you are interested in automatically assessing and updating your Azure virtual machines to maintain security compliance with Critical and Security updates released each month, review Automatic VM guest patching. This is an alternative update management solution for your Azure VMs to auto-update them during off-peak hours, including VMs within an availability set, compared to managing update deployments to those VMs from Update Management in Azure Automation.

• If you manage Azure virtual machine scale sets, review how to perform automatic OS image upgrades to safely and automatically upgrade the OS disk for all instances in the scale set.

This reference architecture illustrates how to design a hybrid update management solution to manage updates on both Microsoft Azure and on-premises Windows and Linux computers.

Typical uses for this architecture include

• Managing updates across on-premises and in Azure using the Update Management component of Automation Account.

• Using scheduled deployments to orchestrate the installation of updates within a defined maintenance window.

Architecture

The architecture consists of the following services:

Log Analytics workspace

A Log Analytics workspace is a data repository for log data that's collected from resources that run in Azure, on-premises, or in another cloud provider.

Automation Hybrid Worker solution

Create Hybrid Runbook Workers to run Azure Automation runbooks on your Azure and non-Azure computers.

Automation account

This is a cloud service that automates configuration and management across your Azure and non-Azure environments.

Hybrid Runbook Worker

This is a computer that's configured with the Hybrid Runbook Worker feature and can run runbooks directly on the computer and against the resources in the local environment.

Hybrid Runbook Worker group

It's a group of Hybrid Runbook Workers used for high availability.

Runbook

This is a collection of one or more linked activities that together automate a process or operation.

On-premises computers and VMs

These are on-premises computers and VMs with Windows or Linux operating systems that reside on-premises.

Azure VMs

Azure VMs include Windows or Linux VMs that are hosted in Azure.

Components

• Azure Automation

• Azure Virtual Machines

• Azure Monitor

• Azure Arc

Enable Update Management for Azure VMs

Enable Update Management for Azure VMs by using the following tools:

• Azure Resource Manager template. Microsoft provides a sample template that can automate the creation of an Azure Log Analytics workspace, creating an Automation account, linking the Automation account to the Log Analytics workspace, and enabling Update Management.

• Update Management from the Azure portal. Use this method when you want to update multiple VMs that reside in different regions.

• Update Management from an Azure VM. This will configure updates for a selected VM.

• Update Management from an Automation account. Use this method when you want to update both Azure and non-Azure computers and VMs at the same time.

• Update Management from a runbook. Use this method to enable Update Management as an automated procedure combined with other automation activities.

Configure Windows Update settings

Azure Update Management depends on Windows Update Client to download and install updates either from Windows Update (default setting) or from Windows Server Update Server. Configure Windows Update Client settings to connect to Windows Server Update Services (WSUS) by using:

• Local Group Policy Editor

• Group Policy

• PowerShell

• Directly editing the registry

Use dynamic groups for Azure and non-Azure machines

Dynamic groups for Azure VMs filter VMs based on a combination of:

• Subscriptions

• Resource groups

• Locations

• Tags

Dynamic groups for non-Azure computers use saved searches to filter the computers for deployment of the update. Saved searches, also known as computer groups, can be created by using:

• A log query. Use Azure Data Explorer to define a logical expression to filter the computers.

• Active Directory Domain Services. A group is created in Log Analytics workspace for any members of an Active Directory domain.

• Endpoint Configuration Manager. Import computer collections from Endpoint Configuration Manager into a Log Analytics workspace.

• WSUS. Groups that are created in WSUS servers can be imported into a Log Analytics workspace.

Scalability considerations

Azure Automation can process up to 1,000 computers per update deployment. If you expect to update more than 1,000 computers, you can split up the updates among multiple update schedules. Refer to Azure subscription and service limits, quotas, and constraints.

Availability considerations

• Currently, mappings between Log Analytics Workspace and Automation Account are supported in several regions. For further information, refer to Supported regions for the linked Log Analytics workspace.

• Supported client types: Update assessment and patching are supported on Windows and Linux computers that run in Azure or in your on-premises environment. Currently, the Windows client isn't officially supported. For a list of the supported clients, refer to Supported client types.

Security considerations

Update Management permissions

The Update Management component of Automation and the Log Analytics workspace component of Monitor can use Azure role-based access control (Azure RBAC) with built-in roles from Azure Resource Manager. For segregation of the duties, these roles can be assigned to different users, groups, and security principals. For a list of the roles in Automation accounts, refer to Manage role permissions and security.

Encryption of sensitive assets in Automation

An Automation account can contain sensitive assets such as credentials, certificates, and encrypted variables that runbooks might use. Each secure asset is encrypted by default using a data encryption key that's generated for each Automation account. These keys are encrypted and stored in Automation with an account encryption key that can be stored in the Azure Key Vault for customers who want to manage encryption with their own keys. By default, an account encryption key is encrypted by using Microsoft-managed keys. Use the following guidelines to apply encryption of secure assets in Azure Automation.

Runbook permissions for a Hybrid Runbook Worker

By default, runbook permissions for a Hybrid Runbook Worker run in a system context on the machine where they're deployed. A runbook provides its own authentication to local resources. Authentication can be configured using managed identities for Azure resources or by specifying a Run As account to provide a user context for all runbooks.

Network planning

Hybrid Runbook Worker requires outbound internet access over TCP port 443 to communicate with Automation. For computers with restricted internet access, you can use the Log Analytics gateway to configure communication with Automation and an Azure Log Analytics workspace.

Azure Security Baseline for Automation

Azure security baseline for Automation contains recommendations about how to increase overall security to protect your assets following best practice guidance.

DevOps considerations

• You can schedule update deployment programmatically through the REST API. For more information, refer to Software Update Configurations - Create.

• Azure Automation allows integration with popular source control systems like Azure DevOps and GitHub. With source control, you can integrate an existing development environment that contains your scripts and custom code that has been previously tested in an isolated environment.

• For more information about how to integrate Automation with your source control environment, refer to Use source control integration.

Cost considerations

• Use the Azure pricing calculator to estimate costs. For more information about Automation pricing models, refer to Automation pricing.

• Azure Automation costs are priced for job execution per minute or for configuration management per node. Every month, the first 500 minutes of process automation and configuration management on five nodes are free.

• An Azure Log Analytics workspace might generate more costs related to the amount of log data that's stored in Azure Log Analytics. The pricing is based on consumption, and the costs are associated with data ingestion and retention. For ingesting data into Azure Log Analytics, use the capacity reservation or pay-as-you-go model that includes 5 gigabytes (GB) free a month for each billing account. Data retention for the first 31 days is free of charge.

• Use the Azure pricing calculator to estimate costs. For more information about Log Analytics pricing models, refer to Azure Monitor pricing.