Azure: Installing the Microsoft Antimalware and Log Analytics extensions on VM Scale Sets

I’ve been engaged with a customer over the the past few months that hosts multiple virtual machine scale sets across their Azure estate. For the most part, the scale sets are used to offer public facing web services.

Using scale sets allows them to provide redundancy and improved performance by distributing their web applications across multiple VM instances. Azure load balancers then sit above the scale sets distributing traffic.

Scale sets also give them the ability to scale the number of VM instances as required. Either manually or automatically using predefined auto scale rules based on resource usage like CPU, memory demand or network traffic. 

As with any virtual machine, it is important to protect the scale set VM instances by installing the latest security updates and running Antimalware to maintain a strong security posture. For scale sets running Windows 2016 VM instances , Windows defender is built into the OS but for Windows 2012 R2 this is something that needs to be managed.

The Azure marketplace offers many third party security extensions that can be implemented. But in this article I’m going to concentrate on the following two and how to go about installing them.

  • Microsoft Antimalware
  • Log Analytics

Installing the Microsoft Antimalware extension 

One way to install the Microsoft Antimalware extension is by browsing to the Extensions blade of the scale set, clicking on the + Add button and then selecting the extension from the popup list.

It’s worth noting that not all extensions are available via the portal so I tend to use the following PowerShell snippet which can be found on the Azure virtual machine scale set FAQ page. I have included the link for additional information.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set

Once the extension has been installed on the scale set reference image, the image then needs to be rolled out to all of the running VM instances. The simplest way I have found to do this is through the portal.

Browse to the Instances blade of the scale set and then simply select which instances need upgrading. Finally click the Upgrade button to upgrade them to the latest OS image. 

NOTE: If all instances are upgraded at once, the scale set will be offline during the upgrade process.  

Installing the Log Analytics extension

Having installed the chosen Antimalware extension, it’s important to have some visibility into the health of the scale set. Integration of scale sets into services such as Security Center and Log Analytics are still quite limited but viewing the logs that are produced can offer some invaluable insight.

Before we go ahead and install the Log Analytics extension, we first need to make note of the Log Analytics Workspace ID and one of the Workspace Keys. This can be found in a couple of ways, arguably the easiest is by browsing to the Advanced Settings blade of the chosen Log Analytics workspace.

Unlike the Antimalware extension, the Log Analytics extension does not appear in the list accessible through the portal and needs to be installed using either PowerShell or Azure CLI

The following script created by Tim Omta is the method I have tended to use. 

https://blogs.msdn.microsoft.com/timomta/2018/04/09/how-to-add-the-oms-client-to-a-vm-scale-set/

Alternatively the same things can be achieved by the following single line of Azure CLI

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#is-it-possible-to-integrate-scale-sets-with-azure-log-analytics

In the same way the VM instances required upgrading after the reference image had been updated with the Antimalware extension, the same is true for the Log Analytics extension.

In most production environments, I would recommend installing both extensions before upgrading the scale set once from the updated reference image.  

Deleting a virtual machine scale set extension

Having stepped through installing both extensions, it’s worth covering off how to remove them. Even though it’s not possible to install both via the portal, it is possible to remove them manually through the GUI.

For completeness, the following PowerShell script can also be used to remove extensions from VM scale sets.  

As a final note, I’m aware that over the coming months the integration between Azure Security Center and VM Scale Sets is likely to improve. As things change, I plan to feedback on the key improvements.

Leave a Reply

Your email address will not be published. Required fields are marked *