I would like to organize Azure Automation Update Management, one of Microsoft's cloud services Azure services.
Azure Automation Update Management seems to be a service that combines Azure Log Analytics and Azure Automation
The point of interest here is
--Because it uses cloud services, communication outside the organizational network is required. --The update itself is with the help of WSUS and Windows Update --The Linux server is also within range
Of course, it can work with VMs on Azure, so if you focus on the on-premises story, Most of the servers themselves are supposed to not communicate outside the organization, but Azure Automation Update Management may be a bottleneck to have to do that. However, there are countermeasures available, so if it can be solved, it will be a convenient service.
In the first place, it's a common practice used by servers to communicate outside the organization, and if it can be used as is, it's better than this. On the other hand, for servers that do not normally communicate with the outside, such as internal file servers, by preparing a Log Analytics gateway, it is possible to communicate with Azure once via that.
As a means to improve the security of communication with Azure, there is a closed network connection method using Express Route. You can use it to communicate securely with Azure Automation Update Management. Communication methods using Express Route include Private Peering and Microsoft Peering, which can be used to prevent communication from going out to the Internet. These two functions will be summarized in a separate article. However, since Azure Automation Update Management is a service with a public IP address, Private Peering cannot be used unless it is combined with a service such as Private Link, and Azure Automation Private Link is a preview, so it is not in the practical stage. On the other hand, Microfoft Peering can be used as it is with public IP, so if you want to use it now, you will probably choose this one.
The above is Azure Automation Update Management from the perspective of a fledgling infrastructure engineer. I've written a lot of negative aspects, but being able to target on-premises and Linux servers is a considerable strength.