Share via

If an Azure VM is deallocated for months is there a process to update the patches and other security tools in a separate VLAN before allowing it on production

Manjunath Nandakumar 0 Reputation points
2024-02-28T14:09:21.6633333+00:00

In our company Azure VMs are deallocated for months and these machines are not patched or security tools are not updated. We are using the Hub and Spoke model and I was wondering if there is a process already defined for deallocated machines for more than 20 days but within 30 days to send reminders to the owners or can these VMs be moved to a VLAN where only things it can do is patch the system and update the security tools before allowing it in production.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,553 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 26,466 Reputation points
    2024-02-29T01:05:16.74+00:00

    Hello Manjunath Nandakumar

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Yes, there are processes and tools available in Azure that can help you manage and secure your deallocated VMs.

    One option is to use Azure Automation to schedule a runbook that checks for deallocated VMs that have not been updated or patched for a certain period of time, such as 20 days. If a VM is found, the runbook can send a notification to the VM owner or administrator to remind them to update or patch the VM.

    Ref: https://learn.microsoft.com/en-us/azure/automation/shared-resources/schedules

    Another option is to use Azure Security Center to monitor the security posture of your VMs and apply security updates.

    Ref: https://azure.microsoft.com/en-us/blog/strengthen-your-security-posture-and-protect-against-threats-with-azure-security-center/

    Additionally, you can use Azure Update Management to manage updates and patches for your VMs. Azure Update Management provides a centralized solution to manage updates and patches for your Azure VMs. It allows you to assess the status of available updates on all agent computers and manage the process of installing required updates for servers.

    Ref: https://learn.microsoft.com/en-us/azure/automation/update-management/manage-updates-for-vm

    Regarding moving the VMs to a separate VLAN for patching and updating, you can use Azure Virtual Network to create a separate network environment for your VMs. Azure Virtual Network allows you to create isolated network environments in the cloud, including subnets and VLANs. You can use Azure Virtual Network to create a separate VLAN for your VMs and apply network security policies to control traffic flow between the VLAN and other network environments.

    Additional Ref:

    https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-machines-windows-virtual-machines-security-baseline

    https://learn.microsoft.com/en-us/azure/security/fundamentals/virtual-machines-overview

    I hope this helps!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.