Azure Automation State Configuration

Automation
Monitor
Virtual Machines

Azure Automation State Configuration is an Azure configuration management service that allows you to configure and enforce state on virtual and physical machines in any cloud or on-premises datacenter.

In addition to enforcing configuration, you can use Azure Automation State Configuration in a report-only mode, where compliance data is generated based on a virtual or physical machine's compliance with a configuration.

Architecture

This example scenario demonstrates how to use Azure Automation State Configuration to install a web server on both Windows and Linux-based Azure virtual machines (VMs). You then use Azure Monitor to raise an alert for any non-compliant systems.

Diagram showing Azure Automation State Configuration architecture.

Components

In this solution, you use the following services and components:

  • Azure Automation: Delivers a cloud-based automation and configuration service that supports consistent management across your Azure and non-Azure environments.

  • Azure Automation State Configuration: A configuration management solution that's built on top of PowerShell Desired State Configuration. State Configuration works with Azure VMs, on-premises machines, and machines in a cloud other than Azure. By using state configuration, you can import PowerShell DSC resources and assign them to many virtual machines from a central location. After each endpoint has evaluated or applied the desired state, state compliance is reported to Azure and can be seen on a built-in dashboard.

  • Azure Monitor: Azure Monitor collects and stores metrics and logs, application telemetry, and platform metrics for the Azure services. Use this data to monitor the application, set up alerts and dashboards, and perform root-cause analysis of failures.

  • Azure Virtual Machines: The Azure IaaS solution for running virtual machines.

Scenario details

Potential use cases

Use Azure Automation State Configuration to host and manage PowerShell Desired State Configurations (DSCs) centrally. These configurations can be applied to Windows and Linux systems to enforce state configuration. Example configurations could include:

  • Configuring applications and web services.
  • Enforcing compliance and security controls.
  • Configuring and enforcing other operating system controls.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

When you're managing systems configuration with Azure Automation State Configuration, consider the information in the next sections.

Configurations

You configure Windows and Linux systems by using a DSC configuration. These configurations are uploaded into the Azure Automation State Configuration service, compiled into a node configuration, and can then be assigned to any system that's managed by the state configuration services.

A configuration can be composed in any text editor or in the Azure portal. The following examples are used in the included deployment to install a web server on both Windows and Linux systems.

configuration linuxpackage {

    Import-DSCResource -Module nx

    Node "localhost" {

        nxPackage nginx {
            Name = "nginx"
            Ensure = "Present"
        }
    }
}

For more information about creating configurations, see Compose DSC configurations.

For more information about composing configurations, see Composing DSC configurations.

Monitoring

Azure Automation State Configuration retains node status data for 30 days. You can send node status data to your Log Analytics workspace if you prefer to retain this data for a longer period. Azure Monitor logs provide greater operational visibility to your Automation State Configuration data and help address incidents more quickly. For example, with Azure monitor integration, an email alert can be raised when a system is found to be non-compliant.

Azure Monitor integration is configured with the included deployment. The following Azure Monitor query is used to detect and alert when non-compliant systems are detected.

AzureDiagnostics
| where Category == "DscNodeStatus"
| where ResultType != "Failed"

For more information about monitoring Azure Automation State Configuration, see Integrate with Azure Monitor logs.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

Configuration management includes the configuration pull service and change tracking capabilities. Billing is based on the number of nodes that are registered with the service and the log data that's stored in the Azure Log Analytics service.

Charges for configuration management start when a node is registered with the service, and they stop when the node is unregistered. A node is any machine whose configuration is managed by configuration management. This could be an Azure VM, an on-premises VM, a physical host, or a VM in another public cloud. Billing for nodes is prorated hourly.

For more information, see Automation pricing.

Deploy this scenario

This deployment includes an Azure Automation account, the Azure Automation State Configuration feature, and one to many Windows and Linux VMs that are onboarded onto State Configuration. After they're deployed, a configuration is applied to each virtual machine that installs a web server.

To create a resource group for the deployment, run the following command. To use an embedded shell, select the Try it button.

az group create --name state-configuration --location eastus

To deploy the ARM template, run the following command. At the prompt, enter a username and password. Use these values to log in to the virtual machines you've created.

az deployment group create --resource-group state-configuration \
    --template-uri https://raw.githubusercontent.com/mspnp/samples/master/solutions/azure-automation-state-configuration/azuredeploy.json

After the VMs are deployed, in the Azure portal, select the Automation Account resource, and then select State configuration (DSC). You'll note that all the virtual machines have been added to the system and are compliant. These machines have all had the PowerShell DSC configuration applied, which has installed a web server on each.

Screenshot of DSC compliance results in the Azure portal.

You can also browse to the public IP address of any virtual machine to verify that a web server is running.

For detailed information and additional deployment options, see the ARM templates that are used to deploy this solution.

Next steps