Azure - Rocky Linux from CIQ - Hardened

Overview¶

This guide shows how to deploy Rocky Linux from CIQ – Hardened (RLC-H) on Microsoft Azure using the Azure CLI.

Prerequisites¶

Familiarity with Microsoft Azure concepts (resource groups, VNets, NSGs, etc.)
Azure CLI 2.60+ installed and logged in (az login)
Subscription rights to create resource groups, VMs, networking
SSH key available (~/.ssh/id_rsa.pub by default)

Hardware Requirements¶

Component	Minimum	Recommended
vCPUs	2 vCPUs	4+ vCPUs
Memory	4 GB RAM	8 GB RAM or more
Storage	25 GB OS disk (Azure default 30)	64 GB+ Premium SSD
VM Size	Standard_D2s_v5 (2 vCPU, 8 GB)	Standard_D4s_v5 (4 vCPU, 16 GB)

Notes

Azure defaults OS disks to 30 GB, which meets the 25 GB minimum.
Premium SSDs are strongly recommended for production workloads.
Enable accelerated networking where supported.
Consider extra headroom (≥ 8 GB RAM) when running with LKRG and hardened memory.

How to Acquire RLC-H via Marketplace¶

Navigate to the Azure Marketplace listing for RLC-H.
Under Plans + Pricing, click Get It Now or Subscribe and follow the prompts.
After subscribing, you’ll be able to deploy via the Azure Portal or CLI using the marketplace image.
For CLI usage, you still must accept the plan/terms.

Note

The Marketplace subscription step only needs to be done once per Azure subscription. After that, you can deploy as many RLC-H VMs as you like using CLI, Terraform, etc.

Marketplace Information¶

RLC-H is available in the Azure Marketplace under the publisher ciq with different support levels:

SKU	URN Example	Support Tier
`rlch-standard-9`	`ciq:ciq-rocky-linux-hardened:rlch-standard-9:latest`	Basic Support
`rlch-standard-9-ss`	`ciq:ciq-rocky-linux-hardened:rlch-standard-9-ss:latest`	Standard support
`rlch-standard-9-ps`	`ciq:ciq-rocky-linux-hardened:rlch-standard-9-ps:latest`	Premium support

When creating the VM, specify the URN that matches your desired support level.

Note

For details about CIQ’s support tiers (Basic, Standard, Premium) and what each includes, see CIQ Support Services.

Find the RLC-H image¶

Set your target region¶

LOCATION=eastus   # adjust to your Azure region

List available hardened images¶

az vm image list --location $LOCATION -p ciq --all \
  --query "[?contains(offer, 'harden') || contains(sku, 'harden') || contains(urn, 'harden')].{publisher:publisher,offer:offer,sku:sku,version:version,urn:urn}" \
  -o table

Copy the URN¶

ciq:ciq-rocky-linux-hardened:rlch-standard-9:latest

Accept plan terms (one time per subscription)¶

IMAGE_URN="ciq:ciq-rocky-linux-hardened:rlch-standard-9:latest"

Check if the image requires a plan¶

az vm image show --urn $IMAGE_URN --query plan

If a plan is shown, accept it once per subscription¶

az vm image terms accept --urn $IMAGE_URN

Create resource group and networking¶

RG=rg-rlch
LOCATION=eastus
VNET=vnet-rlch
SUBNET=subnet-rlch
NSG=nsg-rlch
NIC=nic-rlch
PIP=pip-rlch

Resource group¶

az group create -n $RG -l $LOCATION

VNet + subnet (use ranges appropriate for your environment)¶

az network vnet create -g $RG -n $VNET -l $LOCATION \
  --address-prefix 10.10.0.0/16 \
  --subnet-name $SUBNET --subnet-prefix 10.10.1.0/24

NSG: allow SSH (harden further as needed)¶

az network nsg create -g $RG -n $NSG -l $LOCATION

az network nsg rule create -g $RG --nsg-name $NSG -n allow-ssh \
  --priority 1001 --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes "*" --destination-port-ranges 22

NIC + Public IP¶

az network public-ip create -g $RG -n $PIP --sku Standard --allocation-method Static

az network nic create -g $RG -n $NIC \
  --vnet-name $VNET --subnet $SUBNET \
  --network-security-group $NSG \
  --public-ip-address $PIP

Create the VM¶

VM=vm-rlch; SIZE=Standard_D4s_v5; az vm create -g $RG -n $VM -l $LOCATION \
  --image $IMAGE_URN \
  --size $SIZE \
  --admin-username rlchadmin \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --nics $NIC \
  --os-disk-size-gb 128

If a plan is required for the image, add these flags to the command above:

--plan-publisher ciq --plan-product ciq-rocky-linux-hardened --plan-name rlch-standard-9

Verify the VM¶

Get the public IP¶

az vm show -g $RG -n $VM -d --query publicIps -o tsv

SSH in and confirm RLC-H¶

ssh rlchadmin@<PUBLIC_IP>

cat /etc/os-release
rpm -qa | grep lkrg

Next steps¶

Tighten NSG source scopes (e.g., your admin IP or VPN CIDR instead of *)
Enable Defender for Cloud monitoring and diagnostics if required
Attach additional data disks with az vm disk attach

Appendix (Optional): Using a customer-managed key (DES)¶

If your organization uses a Disk Encryption Set (DES) for CMK encryption, include the DES when creating the VM’s OS disk and when creating/attaching any data disks.

For the OS disk (add to az vm create):

--os-disk-security-encryption-set <DES_RESOURCE_ID>

For new data disks created and attached later:

az vm disk attach ... --disk-encryption-set <DES_RESOURCE_ID>

Note

The DES must have access to your Key Vault key, and the identity used by the DES must have wrap/unwrap/get permissions on that key.

Best Practices for RLC-H on Azure¶

Security¶

Integrate with Microsoft Entra ID (formerly Azure Active Directory) for authentication and access control
Enable disk encryption with customer-managed keys (CMK) via a Disk Encryption Set
Restrict traffic using Network Security Groups (NSGs) and optionally Application Security Groups (ASGs)
Enable Microsoft Defender for Cloud (formerly Security Center) and integrate with Microsoft Sentinel for advanced threat detection
Apply Azure Policy initiatives to enforce baseline security configurations and compliance

Performance with Security¶

Use Premium SSDs for production workloads
Enable accelerated networking on supported VM sizes for high-throughput and low-latency networking
Monitor LKRG runtime overhead on security-sensitive workloads
Use Proximity Placement Groups (PPGs) for latency-sensitive, tightly coupled applications

Compliance¶

Tag all resources with appropriate governance/compliance metadata
Use Azure Update Manager (formerly Update Management) for OS and package patching
Implement Azure Policy compliance checks and remediation at scale
Run regular security posture assessments with Defender for Cloud recommendations

High Availability¶

Deploy across multiple availability zones where supported
Use zone-redundant managed disks for critical data
Implement application-level health probes and load balancing (e.g., Azure Load Balancer or App Gateway with WAF)
Configure Azure Backup with encryption for automated recovery

For additional security configurations and troubleshooting, see the main RLC-H documentation