Increased security and resiliency of Canonical workloads on Azure – now in preview

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

This blog has been co-authored by Maulik Shah, Senior Product Manager, Azure Compute

Linux-based operating systems (OS) routinely receive daily security updates to combat vulnerabilities. However, organizations often struggle with testing and applying the latest updates across their fleet at the same rate that updates are released. Additionally, it is not possible to point to a single update to apply across multiple regions, since Linux publishers do not support a release date. When updates are rolled out gradually, an organization may end up with different versions of the same update applied across its environment. This can increase the risk of a particular update impacting workloads if it has not been thoroughly tested beforehand.


Microsoft and Canonical have partnered to make it easier for our customers to stay current with OS updates and increase the security and resiliency of their workloads on Azure. Azure is the first cloud provider to collaborate with Canonical to integrate its snapshot service. Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS) will leverage the new capability to apply the same update consistently on a customer’s fleet across regions via Safe Deployment Practices (SDP).


“We’re thrilled to announce that Azure Guest Patching Service (AzGPS) is the industry’s first cloud-native management platform to collaborate with Canonical & the Azure Kubernetes Service (AKS) on the new repo snapshot functionality. With this new capability, AzGPS will extend Azure’s vision of providing comprehensive security solutions to our Linux customers without compromising reliability on Azure VM and Virtual Machine Scale Sets (VMSS). By applying the same patch payload across customer VMs while leveraging safe deployment principles (SDP) and health awareness, we are able to bring customer deployments seamlessly and safely to a consistent security level.”Arun Kishan, Corporate Vice President & Technical Fellow, Azure Core Compute & Host


"We are pleased to announce that Canonical is the first Linux provider to integrate a snapshot service for cloud management and update reliability with Azure. In collaboration with Microsoft, this service simplifies the complex landscape of system updates, offering administrators a new standard for predictability and consistency. Through an integration with Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS), we enhance the resilience and security of Ubuntu workloads on Azure VM and Virtual Machine Scale Sets (VMSS). This first-of-its-kind offering enables Linux users to implement Safe Deployment Practices with minimal effort, reinforcing Ubuntu as a dependable choice for cloud deployments."Alex Gallagher, VP of Cloud


Scalable reliability through Auto Patching

There is no action required for customers that have enabled Auto Patching through Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS). The platform will install a package that is snapped to a point-in-time by default. In the event a snapshot-based update cannot be installed, Azure will apply the latest package on the VM to ensure the VM remains secure. The point-in-time updates will be consistent on all VMs across regions to ensure homogeneity. Customers can view the published-date information related to the update in Azure Resource Graph and the Instance View of the VM. The figures below highlight the difference between the current orchestration process and the expected reliability with snapshots.


Azure orchestration without snapshots




Today, each region and VM gets the latest package as updates are applied across regions.


 Scalable reliability with Canonical snapshots




Azure Guest Patching Service and AKS will now apply the same package update from a specific date to all regions due to the integration with Canonical’s snapshot service.

Enabling the snapshot capability on Azure Guest Patching Service and Azure Kubernetes Service

Customers of Azure Guest Patching and Azure Kubernetes Services will receive snapshot-based updates from November 2023 for their newly created VMs. The platform will apply the snapshot-based updated for new and existing VMs from January 2024. If the snapshot-based updates fail to install after a few attempts, the platform will apply the latest security package to keep the VMs and containerized workloads secure.


Azure Guest Patching Service: Enable Auto Guest Patching either through Powershell or CLI for your existing VMs or select “Azure Orchestration” during new VM creation in the Azure portal. There is no action required for customers that have already enabled Auto Guest Patching on their VM and VM Scale Sets. This capability is currently available for Single Instance VMs and VM Scale Set Flexible Orchestration.


Azure Kubernetes Service



Customers of Azure Guest Patching and Azure Kubernetes Services will receive snapshot-based updates for a single point-in-time across their and containerized workloads for their Canonical images by following safe deployment principles. This is a game changer for Azure customers, since the platform can orchestrate updates and keep the updates in sync across regions. Azure is simplifying the way customers keep their assets secure, allowing homogeneity across customers’ fleet, and reducing the impact newer updates may have on customer workloads. Enable Auto Patching on your VMs, VM Scale Sets, and containerized workloads to take advantage of scalable reliability on your fleet.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.