Desktop and Application Streaming

Reduce image maintenance overhead with Managed Image Updates for Amazon AppStream 2.0

Amazon AppStream 2.0 recently added a new feature called Managed Image Updates, which significantly reduces the effort required for customers to keep their images up to date.

Software patching is critical for the security and performance of compute resources. Frequent patching is listed as a best practice in the Security Pillar of the Well-Architected Framework.

Let’s examine the four categories of software that require patching on an AppStream 2.0 image. We’ll also describe how each category has traditionally been updated:

  1. Customer applications and dependencies: You (the customer) are responsible for patching the applications and dependencies in your images.
  2. Microsoft Windows operating system: You are responsible for installing and maintaining updates for Windows.
  3. Software components: These are drivers, agents, and other software that are required for AppStream 2.0 operation (for example, the Amazon CloudWatch agent). AppStream 2.0 periodically releases new base images that contain new agents and drivers. You can rebuild your image using the latest base to bring the software components on their images to the latest baseline. The process to rebuild an image on the latest base can be time-consuming and cumbersome when there are many applications, or with complex application installs.
  4. AppStream 2.0 agent: You can select the option Always use the latest agent version in Image Assistant. With this option, streaming instances that are launched from the image automatically use the latest version of the agent.

With the release of Managed Image Updates, you can now choose to allow AWS to handle a greater portion of the maintenance process. This feature automatically brings an image to the latest baseline for both software components and Windows updates. Managed Image Updates takes your existing image, performs the update operation, and outputs a new image. You can then test the updated image before deploying it to your production fleets.

You are still responsible for maintaining Windows updates after creating a new image: you can do this by continuing to run Managed Image Updates regularly. You are still responsible for maintaining your own applications and dependencies.

Let’s walk through the high-level steps you can follow to use Managed Image Updates for your existing images.

Prerequisites

There are several prerequisites to consider before you attempt to use Managed Image Updates. It’s recommended that you manually install the latest version of SSM agent before performing an update operation. The SSM Agent is used for orchestrating the image update process. All prerequisites are in the administration guide on how to update an image by using managed AppStream 2.0 image updates.

Updating your Image

To update an image, you specify the image to be updated, and provide a name for the new image that will be generated. AppStream 2.0 will start an image builder instance in your account to perform the update. This image builder will be automatically terminated when the update process has completed. Your AWS account will be billed for this image builder usage.

You can start an update operation either programmatically (for example, using the AWS Command Line Interface), or via the AWS Management Console.

Steps in AWS Command Line Interface

  1. (Optional) Run the create-updated-image command in “dry run” mode to see if there are any available updates. Note that this command will only check if there are updates available for specific software components required by AppStream 2.0 (see the list of software components covered by Managed Image Updates here). It will not check whether Windows updates are available. In the following command, replace <OLD_IMAGE_NAME> with the name of the existing image you want to update 
    • aws appstream create-updated-image –-existing-image-name <OLD_IMAGE_NAME> --dry-run
  2. When you’re ready to perform the update, run the following command. Replace <NEW_IMAGE_NAME> with a name for the image to be generated by the update process. 
    • aws appstream create-updated-image –-existing-image-name <OLD_IMAGE_NAME> --new-image-name <NEW_IMAGE_NAME>
  3. After you have run create-updated-image, AppStream 2.0 will start an image builder instance to perform the update. You can verify this by running the describe-image-builders command. 
    • aws appstream describe-image-builders

The output should include an image builder with a state of UPDATING . The name of the image builder starts with the <NEW_IMAGE_NAME> you selected, and ends with a random 10-character suffix.

Steps in AWS Management Console

  1. In the AppStream 2.0 console, select Images from the navigation pane.
  2. In the list of images, choose the private image you want to update.
    • NOTE: You must own the image you want to update. You will not be able to perform the update operation on an image that has been shared with you.
  3. In the Actions dropdown, choose Update.
  4. In the pop-up dialog box, provide appropriate values for New image name, New image display name and (optionally) New Image description.
  5. In the Image Builder tab, you can see the new image builder that has been created to perform the update process. The name of the image builder starts with the value you provided for New image name and ends with a random 10-character suffix. It has a Status of Updating.

You can see the new image builder that has been created to perform the update process. The name of the image builder starts with the value you provided for New image name and ends with a random 10-character suffix.

The update process can require several hours to complete in some cases. If there is a failure, the new image will have a Status of Failed, and you should review any errors in the Notifications tab.

Image validation

It’s important to validate images generated by Managed Image Updates. Deploy the newly updated image to a pre-production fleet, and validate that your applications still work as expected. Let’s review the steps to deploy the updated image to a pre-production and then, once validated, to a production fleet.

Steps in AWS Command Line Interface

  1. Run describe-images to see your image status. Once the update process is complete, your updated image will appear with a status of AVAILABLE. In the following command, replace <NEW_IMAGE_NAME> with the name of the newly updated image you specified in the previous section. 
    • aws appstream describe-images –-names <NEW_IMAGE_NAME>
  2. Run update-fleet to associate your pre-production fleet with the updated image. In the following command, replace <PRE_PROD_FLEET_NAME> with the name of your pre-production fleet. Replace <NEW_IMAGE_NAME> with the name of the newly updated image you specified in the previous section. 
    • aws appstream update-fleet –-image-name <NEW_IMAGE_NAME> –-name <PRE_PROD_FLEET_NAME>
    • Note: Updating an image doesn’t disrupt users who are connected to an active streaming session. The streaming instance is terminated after the streaming session is finished. Any new streaming instances use the updated image. All existing fleet instances must be exhausted before new sessions begin to launch with the updated image. To push the new image to all new sessions rapidly, stop, then start the fleet. For more information, review Update an AppStream 2.0 fleet with a new image.
  3. Log into your pre-production fleet using the authentication method you have configured, and validate your applications are working as expected.
  4. Once validation is complete, associate your production fleet with the updated image by running update-fleet. In the following command, replace <NEW_IMAGE_NAME> with the name of the new image you specified in the previous section, and replace <PROD_FLEET_NAME> with the name of your production fleet. 
    • aws appstream update-fleet –-image-name <NEW_IMAGE_NAME> –-name <PROD_FLEET_NAME>

Steps in AWS Management Console

For the steps to update a fleet with a new image in the AWS Management Console, see update an AppStream 2.0 fleet with a new image in the AppStream 2.0 documentation.

Viewing updates on the new image

You can validate an update has occurred by launching an instance of the updated image and looking at the list of Installed Updates in Windows. To view the updates, choose Control Panel -> Programs -> Programs and Features -> Installed Updates. Managed Image Updates installs all available Windows updates at the time the update operation is performed.

The latest Windows updates are installed on your new image

You can validate that other included software components (such as drivers and agents) were updated as well. To view, choose Control Panel -> Programs -> Programs and Features

The software components should be updated on your new AppStream 2.0 image.

Conclusion

Managed Image Updates is a new feature that significantly reduces the maintenance burden of image updates for AppStream 2.0 customers.

Managed Image Updates takes your existing image and generates a new image that meets the baseline established by the latest base image. It automatically installs Windows updates. You are still responsible for updating your own software and any associated dependencies.