Server update/patching with Azure (Both Azure & on-premises machines)

-

Update Management

Update Management solution in Azure can be used to manage the updates and patches for your Windows/Linux virtual machines.

With this solution, you can

  • Onboard the On-prem virtual machines in azure.
  • See the status of available updates.
  • Schedule the installation of required updates.
  • Review the deployment (scheduled updates) results.

Below are the 2 resources you need to have in azure for update management.

  •  Log Analytics workspace.
  • Azure Automation Account

The following steps highlight the actual implementation.

  1. Create a Log Analytics workspace.
  2. Create an Automation account.
  3. Link the Automation account with the Log Analytics workspace.
  4. Enable Update Management for Azure VMs (Add Azure Machines)
  5. Enable Update Management for non-Azure VMs (Add Non-Azure (On-prem)Machines)

Now we will go through All the above 5 process one by one:

Create a Log Analytics workspace:

Before you create a Log Analytics workspace, ensure that you have at least Log Analytics Contributor role permissions.

You can have more than one Log Analytics workspace for data isolation or for the geographic location of data storage, but the Log Analytics agent can be configured to report to one Log Analytics workspace. For more information, review the Designing your Azure Monitor Logs deployment before you create the workspace.

Use the following procedure to create a Log Analytics workspace:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. In the Azure portal, select Create a resource.
  3. In the Search the Marketplace box, enter Log Analytics. As you begin entering this text, the list filters based on your input. Select Log Analytics workspaces.
  4. Select Create, and then configure the following items:
    1. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    2. For the Resource Group, choose to use an existing resource group that's already set up or creates a new one.
    3. Provide a unique name for the new Log Analytics workspace, such as HybridWorkspace-your name
    4. Select the Location for your deployment.
    5. Select a pricing tier to proceed to further customizations.
    6. If you're creating a workspace in a subscription that was created after April 2, 2018, it'll automatically use the Per GB pricing plan, and the option to select a pricing tier won't be available. If you're creating a workspace for an existing subscription that was created before that date or for a subscription that was tied to an existing Enterprise Agreement enrollment, select your preferred pricing tier. For more information about the particular tiers, refer to Log Analytics Pricing details.
    7. Select Tags and optionally provide a name and value for categorization of the resources.
    8. Select Review + Create.
  5. After providing the required information in the Log Analytics workspace pane, select Create.

Create an Automation account:

After the Automation Hybrid Worker solution has been added to the Log Analytics workspace, proceed with the creation of the Automation account. Refer to Supported regions for linked Log Analytics workspace to select the regions for Automation account and Log Analytics workspace. It's important that you create the Automation account based on the region mapping document and preferably in the same resource group as the Log Analytics workspace.

Use the following procedure to create an Automation account:

  1. In the Azure portal, select Create a resource.
  2. In the Search the Marketplace box, enter Automation. As you begin entering this text, the list filters based on your input. Select Automation, and then select Create.
  3. Select Create, and then configure the following items:
    1. Provide the Name for the Automation account, such as hybrid-auto.
    2. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    3. For the Resource Group, choose the same resource group in which you want to create the automation account.
    4. Select the Location based on the region mapping document.
    5. Create Azure Run As account is optional because this only provides authentication with Azure to manage Azure resources from Automation runbooks.
  4. After providing the required information in the Add Automation Account pane, select Create.

Automation accounts use the Hybrid Runbook Worker components that deploy in the Log Analytics workspace. You must integrate those services before you deploy a Log Analytics agent on an on-premises computer. Currently, mappings between Log Analytics workspaces and Automation accounts are supported in several regions. For further information, refer to Supported regions for linked Log Analytics workspace.

Use the following procedure to link an Automation account with a Log Analytics workspace:

  1. In the Azure portal, select All services, and then enter automation. As you begin entering this text, the list filters based on your input. Select Automation Account, and then select the Automation Account that you created earlier.
  2. In the Automation Account pane, select Update Management in the Update Management section.
  3. In the Update Management pane, configure the following items:
    1. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    2. For Log Analytics workspace, select your existing Log Analytics workspace; for example, HybridWorkspace-your name.
  4. After providing the required information in the Update Management pane, select Enable.

Now once the above things are in place, you are ready to go with adding Azure and non-Azure (on-prem) Machines in update management, below is the screenshot which shows the same.

Note: You can add the Azure Machines directly through the option as showing in the snapshot but for Non- azure machines, the process is a little different so we can see the steps below for the same.





Add Azure Machines:

  • Select your Automation account - click on Update management - Click on Add azure VMs (as per above screenshot)
  • Select the machines you need to deploy - click enable (as per the below screenshot)



Add Non-Azure (On-prem)Machines:

  • You need the Log Analytics workspace ID which you have created above and this ID can be found in the overview section of the Log Analytics workspace page in azure.
  • And you also need the Automation account key which can be found in the Key section of your Automation account which you created above.
  • Now onboard the On-premises Servers into Azure as per the below steps -
  1. Install Microsoft monitoring agent tool either by SCOM or manually on the server that is to be onboard.
  2. Now Go to the control panel in the server to open the Microsoft monitoring agent & Enter workspace ID and Key-Ok-Apply as per the below snapshot.



         

The status would be green after entering the correct details as per the snapshot and after a couple of minutes, the server will get added in azure and can be found under Update management-Machines.

Now you can see all the added Azure/non-azure machines under the machines section of Update management as per the below screenshot.




Now you are ready to schedule the windows update/Patching.

*Go to your Automation Account - click update Management - click on schedule update deployment as you can see above screenshot.

*New Update Deployment window will open as in the below screenshot.



  • Enter the Deployment name eg - Monthly server Patching Jan 2021.
  • Choose your operating system.
  • Now click on Machines to update & choose the machines as per the below snapshot and click ok.




  • Now comes to update classification and choose as per your requirement:



  • Now comes to Include/exclude updates -In this Section, any KB’s exclusive including or exclude can be done of required, enter required KB on the respective tab and Click OK


  • Now comes to schedule setting and schedule it as per your requirement




  • Now Comes to Maintenance windows - Select Maintenance window, a minimum of 30 mins, and a maximum of 300 mins based on Windows Security patches count and Servers count.




  • Now comes to the Reboot option and select as per your requirement. 




  • Once schedule deployment created Goto – Deployment schedules under Update management and could able to see the recently created schedule as per below snapshot.


  • We can find the progress of the schedule under the History tab as below.
  • You can also check the status of each server for any failed, succeeded, not attempted & In-progress in the History tab.
  • The missing updates tab can be used to check the updates that are missing on the servers.



Comments

Post a Comment

Popular posts from this blog

AZURE - AZ-303 Exam

-
Image
In order to achieve the Azure Solutions Architect Expert Certification, you must pass two below individual exams: AZ-303: Microsoft Azure Architect Technologies. AZ-304: Microsoft Azure Architect Design. In this article, we will be going to discuss only the course content in-depth on AZ-303 so that It could be easy for you to learn from different channels if you already don't have purchase this course or don't want to join any academy to learn the same. Starting with Azure: Azure Free Account Tour of the Azure Portal Resources and Resource Groups What are subscriptions What is Azure AD Implement and monitor an Azure Infrastructure What are storage accounts? Account Storage - Service Types More on storage accounts Creating a storage account Working with the Blob service Using Azure Storage Explorer Using Access Keys Shared Access Signatures Storage account replication Premium Performance for Blobs Azure Storage Accounts - Queue service Command Line - Using Powershell Command Li...
Read more