Why Azure Image Builder – Getting Started

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

You might be familiar with building golden images or templates for use on-premises. Back in the olden days we used to "ghost" machines and now you may use a VM template with sysprep. Azure offers the managed service Azure Image Builder so you can configure your image as a template for reuse within your cloud. Golden or base images are usually built upon governance, standards and best practices within your organization. These images especially come into play if you have immutable infrastructure, servers or virtual machines that will not be modified after deployment. To ensure consistency and speed up deployment, you can create golden images or templates.

Azure Image Builder lets you transfer your image customization pipeline to Azure without changing your scripts, commands, and processes. VM Image Builder works with any base operating system image from the Azure Marketplace and uses an automation config for the build process. Your VM image build artifacts are stored as Azure resources. This feature eliminates the need for offline definitions and the risk of environment drifts due to accidental deletions or updates.

Side note - Azure Image Builder is based on Packer, so you can reuse your existing Packer shell provisioner scripts with it.

Resource: https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell

Scenarios

Build, tailor and update "Base" virtual machine images and distribute them globally.
Image creation for Azure Virtual Desktop.
Access files in an Azure storage account or scripts from GitHub
Have your build pipeline trigger automatic image creation based on specific criteria.
Create images for both Azure and Azure Stack.
Integrate with existing build pipelines using Azure VM Image Builder DevOps Task.
Optimize Windows and Linux VM images.
Deploy your image building pipeline on Azure faster by connecting to existing virtual networks that have configuration servers (DSC, Puppet, Chef), file shares, or any other servers or services that can be routed.

Many of these scenarios have code and quickstarts to get you going on the AZ VM Image builder Github repository.

I encourage you to check it out and you can contribute as well.

What's New

Auto-Image Creation, also known as “triggers”, is a feature that enhances developer productivity by automatically initiating image builds for new base images. This feature allows customers to streamline their image building process by setting up ‘triggers’ for the images they want to update automatically. Azure Image Builder also helps internal teams to ensure the security of their images through automation, reducing the manual work required to patch 1P images.

Isolated Image Builds. A feature of Azure Image Builder (AIB) is the ability to customize and validate VM images using dedicated Azure Container Instances (ACI) resources in your subscription. This provides compute and network isolation from shared infrastructure.

Azure VM Image Builder service DevOps task (preview). Create a virtual machine (VM) image with your application and operating system installed and configured, using the build artifacts.

Azure Portal. Users have been using CLI/PowerShell to create Azure Image templates but now that availability is in the Azure Portal.

The Azure Image Builder portal functionality allows the customer to explore the features of Azure Image Builder easily, without spending time on learning how to make a JSON template from the documentation. You can create an Azure Image from Bicep or an ARM template using JSON

Getting Started

Permissions

No matter which route you take, using the Portal or using command line you have to grant permissions for the service to work. The VM Image Builder service needs permissions to create, manage, and delete a staging resource group, which has the prefix IT_*. This resource group contains any resources that the image build requires. You can add these resources after you register for the service successfully. The service creates a service principal name in your subscription when you register.

To distribute images to either the managed images or Compute Gallery, you must create an Azure user-assigned identity that can read and write images. To access Azure Storage, you need permissions to read both private and public containers.

Register providers

If you haven't already done so, register the following resource providers to use with your Azure subscription:

Microsoft.Compute
Microsoft.KeyVault
Microsoft.Storage
Microsoft.Network
Microsoft.VirtualMachineImages
Microsoft.ManagedIdentity
Microsoft.ContainerInstance

I'll go over registering the providers and granting permissions in this first video below.

PowerShell Scripts I used:

#Set Subscription Set-AzContext -SubscriptionId "Your Subscription" #Register Providers Get-AzResourceProvider -ProviderNamespace Microsoft.Compute, Microsoft.KeyVault, Microsoft.Storage, Microsoft.VirtualMachineImages, Microsoft.Network, Microsoft.ManagedIdentity | Where-Object RegistrationState -ne Registered | Register-AzResourceProvider # Destination image resource group name $imageResourceGroup = 'myWinImgBuilderRG' # Azure region $location = 'WestUS2' # Name of the image to be created $imageTemplateName = 'myWinImage' # Distribution properties of the managed image upon completion $runOutputName = 'myDistResults' # Your Azure Subscription ID $subscriptionID = (Get-AzContext).Subscription.Id Write-Output $subscriptionID ##Create Resource Group New-AzResourceGroup -Name $imageResourceGroup -Location $location #Create variables for the role definition and identity names. These values must be unique. [int]$timeInt = $(Get-Date -UFormat '%s') $imageRoleDefName = "Azure Image Builder Image Def $timeInt" $identityName = "myIdentity$timeInt" #Create a user identity New-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName -Location $location #Store the identity resource and principal IDs in variables $identityNameResourceId = (Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).Id $identityNamePrincipalId = (Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).PrincipalId #Downlaod JSON config file to assign permissions to the identity $myRoleImageCreationUrl = 'https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json' $myRoleImageCreationPath = "myRoleImageCreation.json" Invoke-WebRequest -Uri $myRoleImageCreationUrl -OutFile $myRoleImageCreationPath -UseBasicParsing #update role definition template $Content = Get-Content -Path $myRoleImageCreationPath -Raw $Content = $Content -replace '<subscriptionID>', $subscriptionID $Content = $Content -replace '<rgName>', $imageResourceGroup $Content = $Content -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName $Content | Out-File -FilePath $myRoleImageCreationPath -Force #Create role definition New-AzRoleDefinition -InputFile $myRoleImageCreationPath #Grant the role definition to the VM Image Builder service principal $RoleAssignParams = @{ ObjectId = $identityNamePrincipalId RoleDefinitionName = $imageRoleDefName Scope = "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup" } New-AzRoleAssignment @RoleAssignParams

In the next post we will go over using the Azure portal to build a golden image and build from it.

Thanks for reading and feel free to comment with any questions.

Amy Colyer

Scenarios

What's New

Getting Started

Permissions

Register providers

Leave a Reply Cancel reply