Understand the guest configuration feature of Azure Policy
Azure Policy's guest configuration feature provides native capability to audit or configure operating system settings as code for machines running in Azure.
The feature can be used directly per-machine, or at-scale orchestrated by Azure Policy.
Configuration resources in Azure are designed as an extension resource. You can imagine each configuration as an additional set of properties for the machine. Configurations can include settings such as:
- Operating system settings
- Application configuration or presence
- Environment settings
Configurations are distinct from policy definitions. Guest configuration utilizes Azure Policy to dynamically assign configurations to machines. You can also assign configurations to machines manually.
Examples of each scenario are provided in the following table.
| Type | Description | Example story |
|---|---|---|
| Configuration management | You want a complete representation of a server, as code in source control. The deployment should include properties of the server (size, network, storage) and configuration of operating system and application settings. | "This machine should be a web server configured to host my website." |
| Compliance | You want to audit or deploy settings to all machines in scope either reactively to existing machines or proactively to new machines as they are deployed. | "All machines should use TLS 1.2. Audit existing machines so I can release change where it is needed, in a controlled way, at scale. For new machines, enforce the setting when they are deployed." |
The per-setting results from configurations can be viewed either in the Guest assignments page or if the configuration is orchestrated by an Azure Policy assignment, by clicking on the "Last evaluated resource" link on the "Compliance details" page.
Enable guest configuration
To manage the state of machines in your environment, including machines in Azure , review the following details.
Resource provider
Before you can use the guest configuration feature of Azure Policy, you must
register the Microsoft.GuestConfiguration resource provider. If assignment of
a guest configuration policy is done through the portal, or if the subscription
is enrolled in Microsoft Defender for Cloud, the resource provider is registered
automatically. You can manually register through the
portal,
Azure PowerShell,
or
Azure CLI.
Deploy requirements for Azure virtual machines
To manage settings inside a machine, a virtual machine extension is enabled and the machine must have a system-managed identity. The extension downloads applicable guest configuration assignment and the corresponding dependencies. The identity is used to authenticate the machine as it reads and writes to the guest configuration service.
Important
The guest configuration extension and a managed identity are required to manage Azure virtual machines.
If you prefer to deploy the extension and managed identity to a single machine, follow the guidance for each:
- Overview of the Azure Policy Guest Configuration extension
- Configure managed identities for Azure resources on a VM using the Azure portal
To use guest configuration packages that apply configurations, Azure VM guest configuration extension version 1.29.24 or later is required.
Limits set on the extension
To limit the extension from impacting applications running inside the machine, the guest configuration agent isn't allowed to exceed more than 5% of CPU. This limitation exists for both built-in and custom definitions.
Validation tools
Inside the machine, the guest configuration agent uses local tools to perform tasks.
The following table shows a list of the local tools used on each supported operating system. For built-in content, guest configuration handles loading these tools automatically.
| Operating system | Validation tool | Notes |
|---|---|---|
| Windows | PowerShell Desired State Configuration v3 | Side-loaded to a folder only used by Azure Policy. Won't conflict with Windows PowerShell DSC. PowerShell Core isn't added to system path. |
| Linux | PowerShell Desired State Configuration v3 | Side-loaded to a folder only used by Azure Policy. PowerShell Core isn't added to system path. |
| Linux | Chef InSpec | Installs Chef InSpec version 2.2.61 in default location and added to system path. Dependencies for the InSpec package including Ruby and Python are installed as well. |
Validation frequency
The guest configuration agent checks for new or changed guest assignments every 5 minutes. Once a guest assignment is received, the settings for that configuration are rechecked on a 15-minute interval. If multiple configurations are assigned, each is evaluated sequentially. Long-running configurations impact the interval for all configurations, because the next will not run until the prior configuration has finished.
Results are sent to the guest configuration service when the audit completes. When a policy evaluation trigger occurs, the state of the machine is written to the guest configuration resource provider. This update causes Azure Policy to evaluate the Azure Resource Manager properties. An on-demand Azure Policy evaluation retrieves the latest value from the guest configuration resource provider. However, it doesn't trigger a new activity within the machine. The status is then written to Azure Resource Graph.
Supported client types
Guest configuration policy definitions are inclusive of new versions. Older versions of operating systems available in Azure Marketplace are excluded if the Guest Configuration client isn't compatible. The following table shows a list of supported operating systems on Azure images. The ".x" text is symbolic to represent new minor versions of Linux distributions.
| Publisher | Name | Versions |
|---|---|---|
| Amazon | Linux | 2 |
| Canonical | Ubuntu Server | 14.04 - 20.x |
| Credativ | Debian | 8 - 10.x |
| Microsoft | Windows Server | 2012 - 2022 |
| Microsoft | Windows Client | Windows 10 |
| Oracle | Oracle-Linux | 7.x-8.x |
| OpenLogic | CentOS | 7.3 -8.x |
| Red Hat | Red Hat Enterprise Linux* | 7.4 - 8.x |
| SUSE | SLES | 12 SP3-SP5, 15.x |
* Red Hat CoreOS isn't supported.
Custom virtual machine images are supported by guest configuration policy definitions as long as they're one of the operating systems in the table above.
Network requirements
Virtual machines in Azure can use either their local network adapter or a private link to communicate with the guest configuration service.
Communicate over virtual networks in Azure
To communicate with the guest configuration resource provider in Azure, machines require outbound access to Azure datacenters on port 443. If a network in Azure doesn't allow outbound traffic, configure exceptions with Network Security Group rules. The service tags "GuestAndHybridManagement" and "Storage" can be used to reference the guest configuration and Storage services rather than manually maintaining the list of IP ranges for Azure datacenters. Both tags are required because guest configuration content packages are hosted by Azure Storage.
Communicate over Private Link in Azure
Virtual machines can use
private link
for communication to the guest configuration service. Apply tag with the name
EnablePrivateNetworkGC and value TRUE to enable this feature. The tag can be
applied before or after guest configuration policy definitions are applied to
the machine.
Traffic is routed using the Azure virtual public IP address to establish a secure, authenticated channel with Azure platform resources.
Managed identity requirements
Policy definitions in the initiative Deploy prerequisites to enable guest configuration policies on virtual machines enable a system-assigned managed identity, if one doesn't exist. There are two policy definitions in the initiative that manage identity creation. The IF conditions in the policy definitions ensure the correct behavior based on the current state of the machine resource in Azure.
Availability
Customers designing a highly available solution should consider the redundancy planning requirements for virtual machines because guest assignments are extensions of machine resources in Azure. When guest assignment resources are provisioned in to an Azure region that is paired, as long as at least one region in the pair is available, then guest assignment reports are available. If the Azure region isn't paired and it becomes unavailable, then it isn't possible to access reports for a guest assignment until the region is restored.
When considering an architecture for highly available applications, especially where virtual machines are provisioned in Availability Sets behind a load balancer solution to provide high availability, it's best practice to assign the same policy definitions with the same parameters to all machines in the solution. If possible, a single policy assignment spanning all machines would offer the least administrative overhead.
For machines protected by Azure Site Recovery, ensure that machines in a secondary site are within scope of Azure Policy assignments for the same definitions using the same parameter values as machines in the primary site.
Data residency
Guest configuration stores/processes customer data. By default, customer data is replicated to the paired region. For single resident region all customer data is stored and processed in the region.
Troubleshooting guest configuration
For more information about troubleshooting guest configuration, see Azure Policy troubleshooting.
Multiple assignments
Guest configuration policy definitions currently only support assigning the same guest assignment once per machine when the policy assignment uses different parameters.
Assignments to Azure Management Groups
Azure Policy definitions in the category 'Guest Configuration' can be assigned to Management Groups only when the effect is 'AuditIfNotExists'. Policy definitions with effect 'DeployIfNotExists' aren't supported as assignments to Management Groups.
Client log files
The guest configuration extension writes log files to the following locations:
Windows: C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log
Linux
- Azure VM:
/var/lib/GuestConfig/gc_agent_logs/gc_agent.log
Collecting logs remotely
The first step in troubleshooting guest configuration configurations or modules should be to use the cmdlets following the steps in How to test guest configuration package artifacts. If that isn't successful, collecting client logs can help diagnose issues.
Windows
Capture information from log files using Azure VM Run Command, the following example PowerShell script can be helpful.
$linesToIncludeBeforeMatch = 0
$linesToIncludeAfterMatch = 10
$logPath = 'C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log'
Select-String -Path $logPath -pattern 'DSCEngine','DSCManagedEngine' -CaseSensitive -Context $linesToIncludeBeforeMatch,$linesToIncludeAfterMatch | Select-Object -Last 10
Linux
Capture information from log files using Azure VM Run Command, the following example Bash script can be helpful.
linesToIncludeBeforeMatch=0
linesToIncludeAfterMatch=10
logPath=/var/lib/GuestConfig/gc_agent_logs/gc_agent.log
egrep -B $linesToIncludeBeforeMatch -A $linesToIncludeAfterMatch 'DSCEngine|DSCManagedEngine' $logPath | tail
Agent files
The guest configuration agent downloads content packages to a machine and extracts the contents. To verify what content has been downloaded and stored, view the folder locations given below.
Windows: c:\programdata\guestconfig\configuration
Linux: /var/lib/GuestConfig/Configuration
Next steps
- Setup a custom guest configuration package development environment.
- Create a package artifact for guest configuration.
- Test the package artifact from your development environment.
- Use the
GuestConfigurationmodule to create an Azure Policy definition for at-scale management of your environment. - Assign your custom policy definition using Azure portal.
- Learn how to view compliance details for guest configuration policy assignments.