VM Agents & Extensions Demo
Start course
1h 21m

Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.

In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.

This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.

For feedback, queries, or suggestions relating to this course, please contact us at support@cloudacademy.com.

Learning Objectives

  • Scan infrastructure using Azure tools to prevent drift leading to compliance violations
  • Automate configuration using Azure Automation and Desired State Configuration
  • Create secure and compliant software pipelines in Azure

Intended Audience

This course is intended for:

  • Those looking to learn more about the security and compliance features in Azure
  • People studying for Microsoft's AZ-400 exam


To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure. 


Okay, greetings again friends. Welcome to the fourth video demo in our course on Azure Security and Compliance. In this video, we're gonna learn all about VM agents and extensions. We'll do a brief review of Azure Automation State Configuration in the dashboard. We'll then show you how to install extensions on Windows VMs and we'll review the steps for a Linux VM agent installation. And we will then show how to execute arbitrary commands from the console. And lastly, we will demonstrate how to use the CLI to execute commands and scripts. So by the end of this, you should have a solid understanding of the VM agent and custom script tool set.

Okay, so let's start by going back to our Automation account and we'll take a look at the State configuration dashboard that's... right here. And we can do a quick check up on our node of last time. We're in nodes here. And we can see that it is still indeed compliant with our DSC config. Again, this is a great way to automate security compliance in Azure. We can actually review the DSC config source code if we want. We can go into configurations and just click on it and we can view the source. And there's the code right there. Now from this dashboard, we can also add configurations to the node if we want manually. We can click here and go to assign node configuration. So we can do a lot of updating and adding manually through the web portal here. Ideally, we would script a lot of this. Remember, we can do all of this stuff using Powershell and that's how we're gonna wanna do it if we wanna maintain an infrastructure as code paradigm.

Okay, so now let's talk a bit about Azure VM extensions. And so to do that, first, you need to go our virtual machine dashboard. So, we'll just click on the virtual machine and then we can see here there's a lot of info about the virtual machines and monitoring here. But what we're interested in on the left side we can see there's a menu item here called extensions. So we click here and we can see that our little test node already has two extensions installed. We have... one here for DSC and we have here the custom script extension. So as we mentioned all of the official Azure Windows VMs automatically have the custom script extension installed by default. The DSC extension was installed when we connected our node to the Azure Automation State Configuration account. So that's why we see these two here.

Now for Linux virtual machines, we'll have to install the VM agent and the extensions ourselves. And there are a lot of different versions of Linux with their own little details and installation requirements that will impact just how we set things up. So instead of running through a demo which might only apply to a small set of people, I'm just gonna show you the GitHub code and repos for the VM agents and the extensions and you take it from there by just following their read me. So here we have the repo for the Linux agent. It's pretty straightforward. We can see the setup scripts here in Python and there's read-mes for different versions of Linux installation commands. So for the extensions themselves, we can see here is the code base. We can see here is DSC. We can see again all in Python the testing code here. We also can see the custom script extension here.

Okay so if you want to look through the actual code base, this is the place. We'll include links and installation is really just from following the read me files. For our video demo, for the rest of this demo, we're gonna still to Windows server, to Windows VMs as they work right out of the box. So going back to the VM here, we can see that we have the custom script extension installed right out of the box. And this is very cool. This means we can evoke the extension from Powershell and run arbitrary commands and those commands could call other scripts if necessary.

Now from the web console, we do have a very simpler way of running a one-of command. In the operation section, if we go down here in the menu, we can see there's an item here called run command. And if we click on that, it'll talk us to this menu. And what's really cool about this, is that... it actually comes with a number of predefined commands for common use cases here. So for example, if we click on it we can see... For example, this IP config command. This is a good one. We can run this with no parameters. We'll just click run. And it'll come up with this little console here for the output and it will give us the output here. It takes a few minutes to run because it needs to connect to the VM and run the command through the VM agent.

Okay so once that's done here we can see the output of the IP config command. So, we have some information here. So, we can see it successfully ran the command. So that's pretty cool. We have these predefined commands that we can just run. These are helpful for common use cases. But if we want to run an arbitrary command or script, we click here on the run Powershell script command. This will give us a text box and here we can just paste in the command we want to run. Now another option is we can run... Powershell from a terminal either on our local development machine or laptop or we can run it from the Azure web portal using the Azure Cloud Shell.

So let's try that. Let's try using the cloud shell. We just click up here and it'll kick off a shell environment which will connect and once that's ready to go we will attempt to running a script. Okay, that's looking good. Authenticating and we should be good to go. There we are. Okay so now that we have the shell running what we're gonna do is run a command from the shell environment. And I have a couple here saved in my notepad here. We're going to run a command to instantiate a very basic web server so that we can see the VM name from the public IP. And that's a very basic thing that I just basically copied from the documentation.

Here's the command. We can see that we're evoking the extension type here, custom script extension, and the Powershell command is adding WindowsFeature Web-Server. And we're just setting it some default output for when we go to it. So we hit enter and we click run. It will take a second to finish. Okay, we'll just wait for that. Okay, once that's done we can see that we a status code okay. The command ran successfully.

So now we're just gonna run another command to get our public IP. We can actually get this from the console if we want but just for fun we'll do it from the command line. So we'll paste this and that should give us our IP address. That one ran a lot faster. So we should be able... If this worked we should be able to go into the browser, go to this IP address and see our VM name. So let's give that a try and it looks like it worked. 

So there's our VM name coming TestWindowsVM and it should work the same for you as long as you don't have any security rules blocking public IPs. Make sure that's not an issue. So that's basically it. We have covered how to... check extensions. We've gone over the ASC portal, running custom scripts both from the web portal and from the CLI. I mean this is a really powerful feature set. If you can think about how'd scale this, it's absolutely critical for maintaining a compliant system without incurring too many disruptions. So I hope this has been helpful and thanks for watching. Cheers.


Useful Links

VM Agent: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/agent-windows

Custom Script Extension: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux

DEMO: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-automate-vm-deployment?toc=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fextensions%2Ftoc.json&bc=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json


Course Introduction - Compliance & Security Scanning - Security Center Demo - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary

About the Author

Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.