Create custom images for your virtual infrastructure that automatically follow your security policy.

azure-front-door-logo.jpg
Image: Microsoft

One of the big advantages of using cloud IaaS is the convenience; you can spin up a VM whenever you need it, scale it, pause it or throw it away. But large organisations want the VMs they use in the cloud to have the security and configuration settings that match their own policies (and maybe pre-install some specific applications they’ve licensed or created), which default gallery images won’t do. Running scripts to customise those default images takes time; if software installation and configuration takes 10 minutes, doing that with a script is just too slow if you want to scale out a workload on demand.

“Enterprise customers prefer to have a “golden” image (an image that meets all their organisational requirements) that they can reuse when deploying additional VMs than deploy additional VMs and then run a provisioning script post-deployment,” Microsoft said. Reusing an image makes scaling out faster and more reliable while keeping you in policy. And once you have the process in place to build images, you can easily rebuild them regularly to include OS and application updates.

SEE: Windows 11: Tips on installation, security and more (free PDF) (TechRepublic)

But creating and managing your own image pipeline to build those custom images means running extra infrastructure and managing extra software. Azure Image Builder offers you that as a cloud service. You get custom images that follow your security and management policies for the virtual infrastructure you’re taking advantage of in the cloud, and you don’t have to learn tricky image building pipelines and processes.

Pick your source image, create a template with the image configuration (reusing existing commands, scripts and build artefacts if you already have an image building process or are pulling them from different locations so you don’t have to collect them in one place to run the build) and get an image or VHD that matches your compliance rules.

AIB includes role-based access control so you can choose who gets access to images and while it can create a VNET, public IP and network security group to communicate with the VM that builds the image. But if you have an existing VNET with resourcesincluding configuration servers using Ansible, Chef, Puppet, DSC or similaryou can specify that instead and not use a public IP address at all.

Pack up your policy configuration

AIB started out as a feature on Azure Kubernetes Service that used Hashicorp Packer to build VHD images. Azure also supports using the popular cloud-init technology for building Linux images from Azure Resource Manager templates, for example if you’re automating building an image to run the Azure IoT Edge runtime. “Packer is a bit more sophisticated than cloud-init (think of it as a super set) and can be used to install IoT Edge on custom VM images as well,” Microsoft said.

AIB turns that into a service, complete with flexible options for how you share the images. You start with Windows or Linux images, from the Azure Marketplace or existing custom images, and add your own customizations, whether that’s configuration choices, copying files or installing applications (including restarting the image if the installation needs that).

Recent versions of Ubuntu, RHEL, CentOS, SLES, Windows and Windows Server have been tested but Microsoft said it should work with any Linux or Windows image, and if you already have a custom image you can use AIB to patch it using Linux commands or Windows Update. The Windows Update Customizer is built on the open source community Windows Update Provisioner for Packer.

You can use familiar commands like Sysprep (or waagent for Linux images) and copy files to the image from a GitHub report or Azure storage. If you’re downloading large files, you may prefer to use a script and use wget, curl or Invoke-WebRequest on Windows.

For Windows VMs you can use PowerShell scripts to customise the image. Currently, you can only use shell scripts (including any Packer shell provisioner scripts you already have) for customising Linux VMs; when we asked about PowerShell support, Microsoft only said “the team is always taking feature requests from customers.”

You can build images for specialised VM sizes, including creating images for GPU VMs.

The cost of AIB is just the VMs, storage and networking used to build your images each time; you’d need that infrastructure however you build images, and AIB is probably more efficient than a pipeline you build yourself. Microsoft tells us that IT admins who are used to building images for on-premises infrastructure shouldn’t find AIB challenging. “The only confusion may lie in finding logs for failed runs of AIB, which are found in the storage account created in the IT_ resource group for their image. Customers will also need to learn about how build and release pipelines work because DevOps has specific functionality where build bits are baked in the image to run customizations on it.”

SEE: Office 365: A guide for tech and business leaders (free PDF) (TechRepublic)

You can distribute the images you create with AIB as a shared image through Azure Compute Gallery. That lets you version images and replicate them into different Azure regions, ready to use for VMs and VM Scale Sets. Alternatively, you can create a managed image in an Azure Storage account and use policy to determine who has access. Or you can output a VHD and distribute that any way you want to: through Azure Storage, by publishing it in the Azure Marketplace, by copying it onto Azure Stack infrastructure or any way you now share VHDs.

If you’re looking for examples of how to make the most of AIB, you can get Azure Resource Manager samples from this template repo that use parameters you can fill in with your own details.

If you want to make that part of a CI/CD pipeline there are samples for calling AIB from a GitHub Action and distributing the images the workflow builds. Or you can run the Azure DevOps task that uses AIB to inject build artefacts into a VM as part of a DevOps pipeline (although it doesn’t support Windows Restarts so it’s most convenient for Linux VMs because you will need several extra steps to use it for Windows VMs). The AIB DevOps task also only supports one in-line script customizer, and it doesn’t yet support Gen2 images.

AIB is also useful for creating custom images for Azure Virtual Desktop, for patching and image lifecycle management, Microsoft points out.

“Today, a significant percentage of AVD session hosts are created using custom images, with the typical customer needing to patch their ‘Golden’ image once per month with the latest feature and security updates. Because of this, Azure Image Builder can play a key role here in providing an efficient way for AVD customers to maintain a ‘Golden’ image without having to manually apply customizations or patch updates.”