{"id":79331,"date":"2026-04-01T11:17:35","date_gmt":"2026-04-01T05:47:35","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=79331"},"modified":"2026-04-06T10:55:46","modified_gmt":"2026-04-06T05:25:46","slug":"patching-azure-virtual-machines-from-aws-systems-manager-using-hybrid-activation","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/patching-azure-virtual-machines-from-aws-systems-manager-using-hybrid-activation\/","title":{"rendered":"Patching Azure Virtual Machines from AWS Systems Manager using Hybrid Activation"},"content":{"rendered":"

Patching Azure VMs from AWS Systems Manager using Hybrid Activation<\/span><\/h1>\n

Each cloud platform provides its own native tools, which can lead to fragmented processes and increased administrative overhead. To address this challenge, AWS Systems Manager (SSM) offers a powerful solution through its Hybrid Activation feature. This capability allows non-AWS machines, such as Azure Virtual Machines (VMs), to be registered as managed instances within AWS.
\n<\/span>Once registered, these Azure VMs can be managed centrally using AWS Systems Manager\u2014just like Amazon EC2 instances\u2014enabling streamlined patching, monitoring, and automation from a single interface.<\/span><\/p>\n

This blog provides a step-by-step guide to patch Azure Virtual Machines using AWS Systems Manager through Hybrid Activation.<\/span><\/p>\n

Pre-requisites
\n<\/strong>Before beginning the setup, ensure the following requirements are met:<\/span><\/span><\/h1>\n
    \n
  • AWS Account Access<\/strong><\/span>
    \nAn active AWS account with sufficient permissions for:<\/span>
    \nAWS Systems Manager<\/span>
    \nIAM (Identity and Access Management)<\/span>
    \nHybrid Activation<\/span><\/li>\n
  • SSM Agent Installation Permissions<\/strong><\/span>
    \nAn IAM role with the policy:<\/span>
    \nAmazonSSMManagedInstanceCore attached<\/span><\/li>\n
  • Server Access<\/span><\/strong>
    \nSSH access for Linux VMs<\/span>
    \nRDP access for Windows VMs<\/span><\/li>\n<\/ul>\n

    Solution Architecture Diagram:
    \n<\/strong><\/span><\/h1>\n

    \"im1\"<\/p>\n


    \nStep-by-Step Procedure:<\/span><\/strong><\/h1>\n

    Step 1: Create Hybrid Activation in AWS<\/span><\/strong>
    \nTo begin, we need to generate an Activation Code and Activation ID.<\/span><\/p>\n

      \n
    • Go to the AWS Console<\/strong> (https:\/\/ap-south-1.console.aws.amazon.com\/systems-manager\/home)<\/span><\/li>\n
    • Open AWS Systems Manager<\/strong>.<\/span><\/li>\n
    • In the left panel click:<\/span>
      \nClick Create activation<\/strong>.<\/span><\/li>\n<\/ul>\n

      \"img3\"<\/p>\n

      \"\"<\/p>\n

      Note(Activation Expiry date):<\/strong> This date specifies when the activation expires. If you want to register additional managed instances after the expiry date, you must create a new activation. This expiry date has no impact on already registered and running instances.
      \n<\/span>After you have entered the details, click Create Activation, Activation-Code and Activation-ID will be created.
      \n<\/span>Save this info, as it will be not generated again:
      \n<\/span><\/p>\n

      \"img3\"<\/p>\n

      Step 2: Script to Install SSM Agent on Azure Virtual Machines<\/strong><\/span>
      \nTo enable AWS Systems Manager integration, install and register the SSM Agent on each Azure VM.<\/span>
      \nBelow is a script (bulk_ssm_install.sh)<\/strong> that:<\/span>
      \nDownloads the SSM Agent<\/strong><\/span>
      \nInstalls it<\/span><\/strong>
      \nRegisters<\/strong> the VM with AWS Systems Manager<\/strong><\/span><\/p>\n

      After running this script, the machine (for example an Azure VM) will appear in AWS Systems Manager as a Managed Instance.<\/span><\/p>\n\n\n\n
      #!\/bin\/bash<\/span><\/p>\n

      set -e<\/span><\/p>\n

      echo “\u27a1 Downloading Amazon SSM Agent package…”<\/span>
      \nwget -q https:\/\/amazon-ssm-ap-south-1.s3.ap-south-1.amazonaws.com\/latest\/debian_amd64\/amazon-ssm-agent.deb -O \/tmp\/amazon-ssm-agent.deb<\/span><\/p>\n

      echo “\u27a1 Installing Amazon SSM Agent…”<\/span>
      \nsudo dpkg -i \/tmp\/amazon-ssm-agent.deb<\/span><\/p>\n

      echo “\u27a1 Enabling amazon-ssm-agent service…”<\/span>
      \nsudo systemctl enable amazon-ssm-agent<\/span><\/p>\n

      echo “\u27a1 Registering SSM Agent…”<\/span>
      \nsudo amazon-ssm-agent -register \\<\/span>
      \n-code “ACTIVATION_CODE” \\<\/span>
      \n-id “ACTIVATION_ID” \\<\/span>
      \n-region “ap-south-1”<\/span><\/p>\n

      echo “\u27a1 Restarting SSM Agent…”<\/span>
      \nsudo systemctl restart amazon-ssm-agent<\/span><\/p>\n

      echo “\u2714 SSM Agent installation & registration completed successfully”<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Step 3: Automating Installation Across Multiple VMs<\/strong><\/span>
      \nTo install the SSM Agent<\/strong> on multiple Azure VMs, follow these steps:<\/span><\/p>\n

      1. Create a CSV File<\/span><\/strong>
      \nPrepare a file (vm_list_cpt_dev.csv)<\/strong> with VM details.<\/span>
      \nNote: The vm_list_cpt_dev.csv file<\/strong> will be like below format:<\/span><\/p>\n\n\n\n
      vm_name,resource_group<\/span>
      \nvm1,rg1<\/span>
      \nvm2,rg2<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      \"img5\"<\/p>\n

      2. Bulk installation using below Automation Script<\/span><\/strong>
      \nBelow automation script (run_updates.sh)<\/strong> reads the CSV<\/strong> file and executes the installation script on each VM using Azure CLI.<\/span>
      \nThis script reads VM list csv file and executes (bulk_ssm_install.sh) on each VM. This enables bulk deployment of the SSM Agent across multiple Azure VMs efficiently.<\/span><\/p>\n\n\n\n
      #!\/bin\/bash<\/span><\/p>\n

      SCRIPT_FILE=”bulk_ssmvm_install.sh”<\/span><\/p>\n

      if [ ! -f “$SCRIPT_FILE” ]; then<\/span>
      \necho “Script $SCRIPT_FILE not found!”<\/span>
      \nexit 1<\/span>
      \nfi<\/span><\/p>\n

      while IFS=, read -r vm rg<\/span>
      \ndo<\/span>
      \nif [ “$vm” != “vm_name” ]; then<\/span>
      \necho “Running script on VM: $vm in Resource Group: $rg”<\/span>
      \naz vm run-command invoke \\<\/span>
      \n–command-id RunShellScript \\<\/span>
      \n–name “$vm” \\<\/span>
      \n–resource-group “$rg” \\<\/span>
      \n–scripts @”$SCRIPT_FILE” \\<\/span>
      \n–output table<\/span>
      \nfi<\/span>
      \ndone < vm_list_cpt_dev.csv<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


      \nStep 4: Resolve Common Patching Errors<\/span><\/strong>
      \nDuring patching, issues such as dpkg<\/strong> errors or sudoers<\/strong> misconfiguration<\/strong> may occur on some VMs.<\/span>
      \nTo address these, use the following script (patching_error.sh):<\/span><\/p>\n\n\n\n
      #!\/bin\/bash<\/span><\/p>\n

      set -e<\/span><\/p>\n

      dpkg –configure -a<\/span>
      \nchattr -i \/etc\/sudoers<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Step 5: Set Azure Subscription Context<\/strong><\/span>
      \nIf your Azure account contains multiple subscriptions (e.g., Dev, Test, Production), set the correct subscription before executing scripts:<\/span>
      \nAzure accounts can have multiple subscriptions. This command tells Azure CLI which subscription you want to patch with before running other defined scripts.<\/span><\/p>\n\n\n\n
      az account set –subscription “SUBSCRIPTION_NAME”<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      This helps stabilize the system before initiating patch operations. You will get the error on VM while doing scan only on AWS patch manager.<\/span><\/p>\n

      Step 6: Register Azure VMs in AWS Systems Manager<\/strong><\/span>
      \nSince all script setup has been done, now execute run_updates.sh to start the VM registering process:
      \n.\/run_updates.sh
      \n<\/span><\/p>\n

      This will:
      \n<\/span><\/strong>Install the SSM Agent<\/strong><\/span>
      \nRegister<\/strong> Azure VMs as Hybrid Managed Instances<\/span>
      \nMake them visible in AWS Systems Manager<\/strong><\/span><\/p>\n

      \"img6\"<\/p>\n

      Perform Patch Scan or Patch Installation on Azure VMs:
      \n<\/span><\/strong>Now all the VMs are registered on AWS Systems Manager as Managed Nodes<\/strong>:
      \n<\/span><\/p>\n

      \"img7\"<\/p>\n

      Once your Azure VMs are registered in AWS Systems Manager as Hybrid Managed Instances, you can use Patch Manager to check for missing patches and apply updates. This step covers how to perform patch scanning only and after that patch\u00a0 installation.<\/span><\/p>\n

      Step 7: Perform Patch Scan<\/strong>
      \nHow to Run Patch Scan:<\/span>
      \nOpen AWS Systems Manager Console<\/strong><\/span>
      \nNavigate to Patch Manager<\/strong><\/span>
      \nClick \u201cPatch Now\u201d<\/span>
      \nSelect Operation Type: \u201cScan<\/strong>\u201d and choose the option to Scan only. This will run a patch compliance check without applying patches.<\/span>
      \nChoose Target Instances i.e. select your registered Azure VMs by instance ID or by resource group tag (if you set one). If selecting Tag, then need to first apply tags on all VMs registered in AWS System Manager:
      \n<\/span><\/p>\n

      \"img9\"
      \n
      \n<\/span>Step 8: Start the Scan and Go to Systems Manager:
      \nMonitor execution via:<\/strong><\/span>
      \nRun Command<\/span>
      \nPatch Compliance Dashboard<\/span><\/p>\n

      This provides visibility into patch status and compliance levels.
      \n<\/span><\/p>\n

      \"img10\"<\/p>\n


      \n<\/span>Step 9: Patch Scan and Install (Apply Patches)
      \n<\/span><\/strong>This option scans the Azure VM for missing patches and then installs them automatically.
      \nNavigate to Patch Manager<\/strong><\/span>
      \nClick Patch Now<\/strong><\/span>
      \nSelect Operation Type: Scan and Install<\/strong><\/span>
      \nChoose target instances<\/strong><\/span>
      \nExecute<\/strong> the operation, once completed, it will show the status:
      \n<\/span><\/p>\n

      \"img11\"<\/p>\n

      NOTE:<\/span><\/strong>
      \nMonitor the patch job status in Systems Manager > Run Command<\/strong> or Patch Compliance<\/strong>. Review detailed reports on which patches were installed successfully or if any failed.<\/span><\/p>\n

      Step 10: Stop\/Start of VM:<\/span><\/strong>
      \nOnce patching is completed, Stop\/Start the VMs<\/strong> for complete patch application, system stability.<\/span><\/p>\n

      Conclusion<\/span><\/strong><\/h1>\n

      By leveraging AWS Systems Manager Hybrid Activation, organizations can effectively manage and patch Azure Virtual Machines from a centralized platform. This approach reduces operational complexity, enhances consistency, and simplifies multi-cloud infrastructure management. <\/span>Implementing this solution enables:<\/span><\/p>\n

      Unified patch management<\/span>
      \nImproved compliance visibility<\/span>
      \nReduced manual intervention<\/span><\/p>\n

       <\/p>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Patching Azure VMs from AWS Systems Manager using Hybrid Activation Each cloud platform provides its own native tools, which can lead to fragmented processes and increased administrative overhead. To address this challenge, AWS Systems Manager (SSM) offers a powerful solution through its Hybrid Activation feature. This capability allows non-AWS machines, such as Azure Virtual Machines […]<\/p>\n","protected":false},"author":2261,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":8},"categories":[5877],"tags":[1853,248,3457,7895,474],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79331"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/2261"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=79331"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79331\/revisions"}],"predecessor-version":[{"id":79432,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/79331\/revisions\/79432"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=79331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=79331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=79331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}