July 2, 2024

VM Configuration: Using IaC to Stand Up Consistent Virtual Machines & Cut Down on Complexity

Configuration Management
Cloud

Configuring virtual machines (VMs) is an important task for any organization. Users across departments depend on sysadmins, engineers, and the rest of the IT ops and infrastructure teams to get VMs secured and ready to use, whether you’re spinning one up for a quick test, a new database server, or standing up a whole fleet of dev-ready machines. That need for variability AND consistency can also make VM configuration one of the most tedious sysadmin tasks, especially at enterprise scale.

Let’s go over some of the reasons why consistency and enforcement are key in effective VM configuration, the tools we recommend (and avoid) for configuring VMs, and where infrastructure as code (IaC) comes in for scaling VM configuration management.

Back to top

What is VM Configuration?

Configuring a VM means setting up and customizing a virtual machine (VM) to get it ready for use. VM configuration usually includes allocating hardware resources, configuring security settings, and installing software for its intended purpose (like development, testing, storage, or networking).

Generally speaking, VM configuration comes after provisioning. If you’re using it for load balancers or simple web servers, the base image might be just fine (provided it’s got the correct security configurations). But otherwise, pretty much every VM will need to be configured with environment-specific settings, regardless of its intended use. Whether spinning up a quick machine or standing it up for long-term use, your typical VM configuration includes things like:

  • Operating system (OS) installs
  • Resources like virtual CPUs and RAM
  • Storage like file systems, partitions, and virtual hard disks
  • Software package installs, settings, and dependencies
  • System hardening measures, including role-based access control to define user permissions, setting security baselines like CIS Benchmarks, and disabling unnecessary services

That said, the exact components to be configured when standing up a VM depend on the ways the VM will be used. For example, if we’re standing up a VM for development, it might need specific software development kits and version control systems installed. Our production database VM, on the other hand, would rely more on properly configured storage and security settings.

Back to top

Why Correct, Consistent VM Configuration is Essential

VM misconfiguration can lead to non-optimized resource allocation, default security settings, and improper role assignment. VM misconfiguration can affect system performance, disrupt the developer experience, and leave systems open to attacks and software vulnerabilities.

  • A VM that’s configured with the wrong resources will overutilize or underutilize them. A VM that’s not configured to optimize CPU and memory usage risks overutilizing or underutilizing its allocation, slowing down response times and performance in shared environments.
  • Misconfigured VMs can be a security risk. OWASP (the Open Worldwide Application Security Project) found that security misconfiguration was the number-five most critical security risk for web applications. Servers without security hardened configurations are a huge security risk for any system, and VMs are no different. VMs in use without strong security configurations are prime targets for unauthorized users, breaches, malware, and vulnerabilities.
  • Developer experience (DevX) depends on properly configured VMs. Developers need the right access, software, and settings applied to their environments, or else they end up needing to do a bunch of extra work just to do their jobs. If a developer doesn’t have what they need, or has to struggle with their environment, it can lead to increased toil, cognitive load, rework, shadow IT use, tech debt, and other factors that increase complexity and decrease quality.

Listen to our conversation with DevX and developer productivity expert Justin Reock, where we cover the power of platform engineering to enhance the developer experience:

Back to top

Many popular tools (like Cloud-init, Kubernetes with KubeVirt, and Packer) can be used to configure VMs. But to configure virtual machines consistently, especially in a large IT system, a configuration management tool is your best bet. Options like Puppet, Ansible, and Chef are capable of configuring VMs, physical servers, and other system components after deployment.

There are a lot of tools that offer configuration management capabilities for VMs, even if it’s not their primary purpose. Here are the tools we see used for VM configuration most often: 

VM Configuration Tool

Primary Purpose

VM Configuration Use Case

Puppet 

Configuration management; infrastructure automation; infrastructure as code 

Configuring virtual machines at any scale; enforcing secure, desired state on thousands of VMs across Linux and Windows 

Chef 

Configuration management; infrastructure automation; infrastructure as code 

Deploying and configuring virtual machines 

Ansible 

Configuration management; infrastructure automation; infrastructure as code 

Orchestrating and configuring virtual machines 

SaltStack 

Configuration management; infrastructure automation; orchestration 

Rapid virtual machine deployment and configuration according to pre-defined commands 

Terraform 

Provisioning VMs, servers, storage, and networking devices 

Establishing provisioning baselines; managing VM configurations in combination with other tools 

AWS CloudFormation 

IaC templates for AWS-specific resources 

Defining the properties of EC2 instances (proprietary AWS VMs) 

Packer 

Creating VM images 

Building VM base images (including OS and security configurations) to deploy and enforce with other tools 

Kubernetes (with a tool like KubeVirt) 

Container orchestration, deployment, and scaling 

Managing configurations of VMs that host Kubernetes nodes 

Cloud-init 

Initial VM configuration 

Automating boot-time configuration of VMs (including user setup, package installs, and service configuration) — not ideal for ongoing VM configuration management 

Why Not Just Use VM Templates and Images to Configure VMs?

Templates and images can be handy for quickly provisioning VMs with simple baseline configurations. But we’ve found that those methods just can’t keep up when sysadmins need to provision more than a few machines, or when those machines get more and more complex.

  • Templates and images don’t scale. Configuration management tools help you manage thousands of VM configurations at once with a lot less effort.
  • Templates and images don’t enforce a desired state. They just provide a starting point for VM configurations, not ongoing management of infrastructure built with VMs.
  • Templates and images can’t handle complex configurations. They typically lay out only the basic baselines for VM configuration.  
  • Templates and images don’t allow for version control and auditing. 

 

Your Free Guide to Cloud Scalability

Download Puppet’s free guide to learn how to
protect your cloud ROI as you scale up and out.

GET THE GUIDE

Your Guide to Cloud Scalability + Efficiency: A graphical mockup of an eBook by Puppet.

 

Back to top

How Infrastructure as Code Helps Configure VMs More Securely & Consistently

Getting VMs ready to use is, admittedly, also a bit of a rote task. Much of the time, the infrastructure and ops teams are creating nearly identical VMs, or VMs with small variations, for a limited number of established use cases. But they do all need to be configured according to their purpose. Ensuring that VMs have consistency in an enterprise environment, where each of those largely similar VMs can require slightly different configurations, is the hard part.

That’s where infrastructure as code comes in! By using IaC to configure VMs, you define the desired state of those machines as code — including resource allocation like CPU and RAM, user permissions, security settings, and more. That infrastructure code can be edited and updated to redefine the desired state, and an IaC tool will enforce the latest coded configurations automatically. No manual effort needed, even at enterprise scale.

In our experience, IaC is better for configuring VMs than any other option for a few key reasons:

Key Benefits of IaC for VM Configuration

  • Better consistency and less human error: IaC can ensure that all the VMs in your system, from a handful to hundreds of thousands, are provisioned with the same configurations. That saves a ton of time (automation), reduces the likelihood of human error (misconfiguration), and improves performance (optimization).
  • Complex configurations: IaC turns complex configurations for VMs in enterprise-scale fleets, including multiple services, dependencies, and custom settings, into code that can be edited as needed. Where manual configuration or templates and images provide baselines and starting points, IaC provides greater flexibility for infrastructure management and DevOps teams.
  • Version control and auditability: IaC defines VM configurations as readable code, which means they can be version controlled, audited, and rolled back for compliance and change management purposes. Agent-based automation and configuration management can also aid enterprise observability and troubleshooting by providing consistent, always-on infrastructure and visibility into the configuration state of system components like VMs.
  • Security: By offloading the configuration of security settings (like RBAC and passwords) to IaC, you significantly reduce the chance of security misconfiguration. In enterprise IT, where system components need to be provisioned, configured, deprovisioned, and recycled constantly, IaC provides a high degree of reliability in configuring VMs for security.
Back to top

Using Puppet IaC for VM Configuration Management

Puppet configures VMs like any other system component. With reusable blocks of IaC aligned to your desired state (known as policy as code/PaC), agent-based automation, and regular runs of the agent installed on each node, Puppet PaC continuously enforces configurations to maintain your desired state across physical servers, VMs, and more.

After provisioning from a VM template or image, Puppet applies detailed configurations to each VM, ensuring that each instance is configured according to its specific role (in accordance with your organization's policies, which are written as Puppet code). Puppet applies configurations that install software packages, configure apps, set up services, apply security policies, roll out patches, and more.

Then, Puppet agents on each VM keep that VM in the desired state according to its role and intended use. Here’s how it works:

  • A Puppet agent installed on each VM checks in with the primary Puppet server, where its desired state is defined as code. This check-in, called a Puppet run, happens 48 times every day by default (every 30 minutes).
  • If the Puppet agent finds that the configurations on its VM are in line with the configurations on the primary server, the agent does nothing and waits for the next run.
  • If the Puppet agent finds that the configurations on its VM don’t match the primary server, the agent will automatically request a code deployment from the primary server to bring the VM’s configurations back into line (remediation).

Using this process, Puppet helps teams control drift, improve observability, and securely manage large fleets with less effort.

Puppet Enterprise Comes with Compliance Monitoring & CI/CD for VM Configuration

Puppet Enterprise, the commercial version of Puppet, contains the tools you need to write infrastructure as code, test it, promote it, deploy it, and continuously monitor system state against your compliance policies.

  • Continuous Delivery accelerates deployment of Puppet code and shows you exactly how Puppet automation contributes to your desired business outcomes.
  • Security Compliance Management gives you a window into how well your Puppet-managed VM configurations adhere to your custom security and compliance policies.

Continuous Delivery and Security Compliance Management aren’t available in Open Source Puppet. Compare the main versions of Puppet with the free PDF, Open Source Puppet vs. Puppet Enterprise: The Complete Guide >>

Puppet Integrates with VM Provisioning & Deployment Tools

Puppet’s strength is in enforcing a consistent desired state across large, complex environments to make enterprise IT management more efficient and effective. And thanks to Puppet’s highly customizable back end, it can integrate with VM provisioning, deployment, virtualization, and management tools. Here are some examples:

  • VMware
  • Vagrant
  • Microsoft Azure
  • AWS
  • Google Cloud Platform (GCP)
  • Hyper-V

Puppet plays nice with the tools your team already uses, making it a key part of the VM lifecycle.

Back to top

Case Study: WTW Configures Azure VMs Quickly & Consistently with Puppet

The Insurance Consulting and Technology business at WTW (Willis Towers Watson) provides 100% cloud-based services to more than 75% of the world’s leading insurers. To save time and money configuring VMs development, testing, and production, the company uses Puppet to manage configurations in Azure.

Darren Gipson, Lead DevOps Engineer, explains why his team chose Puppet for such a big task instead of “having to manually understand every single VM you set up.”


FULL CASE STUDY

Like we mentioned before, Puppet’s ability to keep all kinds of system components in a desired state across on-prem, cloud, and hybrid deployments differentiates it from other IaC, automation, and configuration management solutions. From servers and VMs to applications, software, OSes, and more, Puppet is secure infrastructure automation for enterprise IT management.

Where other VM configuration tools fail, Puppet helps teams succeed. Try Puppet Enterprise on 10 nodes for free right now, or schedule time to have the Puppet team demonstrate it in action.

FREE TRIAL   DEMO PUPPET

Back to top