|
| 1 | +--- |
| 2 | +title: Best Practices |
| 3 | +description: This article describes best practices to be followed while using Azure VM Image Builder. |
| 4 | +author: sumit-kalra |
| 5 | +ms.service: virtual-machines |
| 6 | +ms.topic: conceptual |
| 7 | +ms.date: 03/25/2024 |
| 8 | +ms.reviewer: mattmcinnes |
| 9 | +ms.subservice: image-builder |
| 10 | +ms.custom: references_regions |
| 11 | +--- |
| 12 | + |
| 13 | +# Best Practices |
| 14 | + |
| 15 | +**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets |
| 16 | + |
| 17 | +This article describes best practices to be followed while using Azure VM Image Builder (AIB). |
| 18 | + |
| 19 | +- To prevent image templates from being accidentally deleted, use resource locks at the image template resource level. For more information, see [Protect your Azure resources with a lock](../azure-resource-manager/management/lock-resources.md). |
| 20 | +- Make sure your image tempaltes are setup for disaster recovery by following [reliability recommendation for AIB](../reliability/reliability-image-builder.md?toc=/azure/virtual-machines/toc.json&bc=/azure/virtual-machines/breadcrumb/toc.json). |
| 21 | +- Set up AIB [triggers](image-builder-triggers-how-to.md) to automatically rebuild your images and keep them updated. |
| 22 | +- Enable [VM Boot Optimization](vm-boot-optimization.md) in AIB to improve the create time for your VMs. |
| 23 | +- Follow the [principle of least privilege](https://learn.microsoft.com/en-us/entra/identity-platform/secure-least-privileged-access) for your AIB resources: |
| 24 | + - **Image Template**: A prinicpal that has access to your image template will be able to run, delete, or tamper with it. This, in turn, will allow the principal to change the images created by that image template. |
| 25 | + - **Staging Resource Group**: AIB uses a staging resource group in your subscription to customize your VM image. You must consider this resource group as sensitive and restrict access to this resource group only to required principals. Since the process of customizing your image takes place in this resource group, a principal with access to the resource group will be able to compromise the image building process - for example, by injecting malware into the image. AIB also delegates priveleges associated with the Template identity and Build VM identity to resources in this resource group. Hence, a principal with access to the resource group will be able to get access to these identities. Further, AIB maintains a copy of your customizer artifacts in this resource group. Hence, a principal with access to the resource group will be able to inspect these copies. |
| 26 | + - **Template Identity**: A principal with access to your template identity will be able to access all resources that the identity has permissions for including your customizer artifacts (for example, shell and PowerShell scripts), your distribution targets (for example, an Azure Compute Gallery image version), and your Virtual Network. Hence, you must provided only the minimum required priveleges to this identity. |
| 27 | + - **Build VM Identity**: A principal with access to your build VM identity will be able to access all resources that the identity has permissions for including any artifacts and Virtual Network that you may be using from within the Build VM using this identity. Hence, you must provided only the minimum required priveleges to this identity. |
0 commit comments