Vulnerability management for Azure AI Foundry

Vulnerability management is the process of detecting, assessing, mitigating, and reporting security vulnerabilities in an organization's systems and software. It's a shared responsibility between you and Microsoft.

This article covers your responsibilities and the vulnerability management controls that Azure AI Foundry provides. Learn how to keep your service instance and apps up to date with the latest security updates and reduce the window of opportunity for attackers.

Microsoft-managed VM images

Microsoft manages host OS virtual machine (VM) images for compute instances and serverless compute clusters. Updates are monthly and include the following details:

• For each new VM image version, Microsoft sources the latest OS updates from the original publisher. Using the latest updates helps ensure you get all applicable OS patches. For Azure AI Foundry, Canonical publishes all Ubuntu images.

• VM images are updated monthly.

• In addition to the publisher's patches, Microsoft updates system packages as updates become available.

• Microsoft checks and validates any machine learning packages that might require an upgrade. In most circumstances, new VM images contain the latest package versions.

• All VM images are built on secure subscriptions that run vulnerability scanning regularly. Microsoft flags any unaddressed vulnerabilities and fixes them within the next release.

• Most images use a monthly release cadence. For compute instances, the image release aligns with the release cadence of the Azure Machine Learning SDK that's preinstalled in the environment.

Microsoft also applies hotfixes when vulnerabilities surface. Microsoft rolls out hotfixes within 72 hours for serverless compute clusters and within a week for compute instances.

Microsoft-managed container images

Base Docker images that Microsoft maintains for Azure AI Foundry receive frequent security patches to fix newly discovered vulnerabilities.

Microsoft updates supported images every two weeks to fix vulnerabilities. The goal is zero vulnerabilities older than 30 days in the latest supported images.

Microsoft releases patched images with a new immutable tag and an updated :latest tag. Using the :latest tag or pinning a specific image version is a tradeoff between security and environment reproducibility for your machine learning job.

Managing environments and container images

In the Azure AI Foundry portal, Docker images provide the runtime environment for prompt flow deployments. These images start from an Azure AI Foundry base image.

Although Microsoft patches base images with each release, using the latest image is a tradeoff between reproducibility and vulnerability management. You choose the environment version for your jobs or model deployments.

By default, dependencies are layered on top of base images when you're building an image. After you install extra dependencies on Microsoft-provided images, you're responsible for vulnerability management.

Your Azure AI Foundry hub includes an Azure Container Registry instance that caches container images. When an image is built, it's pushed to the container registry. The workspace uses the cached image when you deploy the corresponding environment.

The hub doesn't delete any image from your container registry. Review the need for each image over time. To monitor and maintain environment hygiene, use Microsoft Defender for Container Registry to scan your images for vulnerabilities. To automate processes based on Microsoft Defender triggers, see Automate remediation responses.

Vulnerability management on compute hosts

Managed compute nodes in Azure AI Foundry portal use Microsoft-managed OS VM images. When you provision a node, it pulls the latest VM image. This behavior applies to compute instances, serverless compute clusters, and managed inference compute.

Although OS VM images are regularly patched, Microsoft doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation for your compute nodes.

Ensuring that your environment is up to date and that compute nodes use the latest OS version is a shared responsibility between you and Microsoft. The service doesn't update busy nodes to the latest VM image. Considerations are slightly different for each compute type, as listed in the following sections.

Compute instance

Compute instances get the latest VM image at provisioning. Microsoft releases new VM images monthly. After you deploy a compute instance, it doesn't receive ongoing image updates. To stay current with the latest software updates and security patches, use one of these methods:

• Re-create a compute instance to get the latest OS image (recommended).

  If you use this method, you'll lose data and customizations (such as installed packages) stored on the instance's OS disk and temporary disk.

  Learn more about image releases in the Azure Machine Learning compute instance image release notes.

• Regularly update OS and Python packages.

  • Use Linux package management tools to update the package list with the latest versions:

    sudo apt-get update
    

  • Use Linux package management tools to upgrade packages to the latest versions. Package conflicts might occur when you use this approach.

    sudo apt-get upgrade
    

  • Use Python package management tools to upgrade packages and check for updates:

    pip list --outdated
    

Install and run additional scanning software on the compute instance to scan for security issues:

• Use Trivy to discover OS and Python package-level vulnerabilities.
• Use ClamAV to discover malware. It comes preinstalled on compute instances.

Installing the Microsoft Defender for Servers agent isn't supported.

Endpoints

Endpoints automatically receive OS host image updates with vulnerability fixes. Microsoft updates images at least once a month.

Compute nodes automatically upgrade to the latest VM image version when it's released. You don't need to do anything.

Next steps

• Azure AI Foundry hubs
• Create and manage compute instances