CRITICAL Update to v5.7.2 - Breaking Changes coming to Azure Compute Gallery (ACG) (Planned)

Avatar
Chuck Mikuzis

Hello Nerdio Community!!!

    I'm reaching out here to spread the word on some upcoming changes Microsoft will be implementing regarding the Azure Compute Gallery.  You may have received a notice similar to the one below earlier this month (Feb 2025) regarding these "Breaking Changes" related to Azure Compute Gallery permission/SDK changes.   These changes WILL impact Nerdio Manager for MSP versions prior to v5.7.2.   These changes will take place in Azure on March 15th, 2025 impacting Nerdio's imaging process.  Please see our release notes HERE. Thank you and as always, please reach out to our support team if you have any questions at nmm.support@getnerdio.com.  

This is a sample of the notice you may have received from Microsoft addressed by Nerdio Manager for MSP v5.7.2:

Update your permission for ACG image publishing by 15 March 2025

You’re receiving this notice because you use Azure Compute Gallery.

We're conducting important security-related updates that’ll be implemented in the coming weeks to the Azure Compute Gallery (ACG) image creation process that’ll impact your resource(s). These updates will impact your resource(s) if you currently use ACG to create your custom Virtual Machine (VM) images. Immediate action is required to prevent any interruptions in your VM Image publishing process.

Previously, to import a VM into an ACG Image in the same subscription, 'read' access was required on the VM. Additionally, to import a blob into an ACG Image in the same subscription, 'write' access was required on the storage account.

To ensure consistency in security models across VM Image creation workflows, starting 15 March 2025, it will be required to have 'write’ access on the source VM and ‘listKeys/action’ on the storage account during VM Image creation in same subscription workflow (VM/Blob source and Target Image in same subscription). This requirement aligns with other image creation workflows (e.g.,VM/Blob source and Target Image in different subscription).

Required action

To prevent VM Image version creation failures when importing VMs and blobs into ACG Image, it’s required that you take the following action by 15 March 2025:

  1. If you use VMs as source to create ACG Image versions where the source VM and target ACG Image will be created in the same subscription:
    • Please move to using “properties.storageProfile.source.virtualMachineId” property as the old property properties.storageProfile.source.Id will be retiring for VM source. The new property requires Api-version 2023-07-03 or version 1.4.0 (or higher) of .NET SDK.
    • Ensure that the Identity (users/service principal, etc.) creating the Image has the ‘write' permission on the source VM.
  2. If you use blobs as source to create ACG Image versions:

Refer to the ACG documentation to learn more about the required permissions on different source types when creating an ACG Image. Please visit Azure built-in roles and granting RBAC permissions for additional information. You can review existing permissions on resources using this article.

If you’d like to test the new permission, you can test by adding the following tag to your VM:

·         Tag ‘acg_allow_capturevm_with_permission’ with value ‘write’.

o    Write: This value will ensure that users can’t create an image without ‘write’ permission on the source VM.

Help and support

If you have any questions or concerns, please open a support case through the Azure Portal and refer to tracking ID: 0TNP-9X8. Stay up to date on important security events by configuring Service Health alerts in the Azure Portal.

Links provided herein may take you to a third-party website and are provided for convenience only. Third-party websites are subject to the third-party's terms and privacy statements.




1

Comments (0 comments)

Please sign in to leave a comment.