Azure Update Manager

Azure Update Manager to handle update orchestration

Steps:

  • Scope the ‘Set prerequisite for Scheduling recurring updates on Azure virtual machines’ policy, this is to set the orchestration mode to ‘Customer Managed Schedules’

  • Additionally scope the ‘Configure periodic checking for missing system updates on azure virtual machines’ policy, this is to configure a daily (24hr) check for OS updates

  • Create a 'Maintenance configuration':

    Create a configuration with a set schedule, in this case it will be on Patch Tuesday (2nd Tuesday of every month) with no offset (x days of update delay) alt text

    Create a dynamic scope, this is recommended as you want to stagger updates across your environment

    In this case I created a dynamic scope based off the environment:dev VM tag, the idea of this is that you will also use additional maintenance configurations for your other environments like test & prod with increasing offset

    alt text

    This would give you time to test the update itself for any errors as well as testing your applications behaviour after the update

    Based off the environment tag:

    • dev - would run on Patch Tuesday with no delay
    • test - would run with a 2 day offset, this gives you some time to test
    • prod - would run on a 4 day offset

    You can also further limit the dynamic scope based off RG and location (Azure region), you can create more maintenance configurations for prod based off the region
    You can have a 3 day offset for your main uksouth region where you have numerous VMs you can test for edge cases but have your useast region on a 4 day offset as you have a smaller footprint

    Finally set the ‘Update classification’, here you can specify the type of updates you want to run I have just left the default Critical & Security Updates

  • Create an alert rule: If you create an alert rule directly from Azure Update Manager resource it will pre-populate some of the options

    Here set the graph query to ‘Patch installation failiures’

    alt text

    This rule will check every 5mins and alert for every single installation failiure - depending on your environment’s size you may want to increase the threshold to a higher number so alerts are aggregated

Once setup verify that the VM has an associated schedule
alt text

If any of the VM’s have pending updates you can also manually check and run updates
alt text

Under the ‘History’ you can monitor the progress of the updates
alt text