Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Arc-enabled servers allow you to manage your Windows and Linux servers and virtual machines that are hosted outside of Azure, on your corporate network, or on another cloud provider. This document helps you plan automation for onboarding, patch management, and expanding Azure Arc-enabled server capabilities through VM extensions. The article presents key recommendations for operations teams to onboard and automate Azure Arc-enabled servers throughout their lifecycle.
Architecture
The following image shows a conceptual reference architecture that highlights the onboarding and automation design areas for Azure Arc-enabled servers:
Design considerations
The following are some design considerations before onboarding Azure Arc-enabled servers to Azure:
Review requirements
- Your machines run a supported operating system for the Azure connected machine agent.
- Your machines have the required software installed before deploying the Azure connected machine agent.
Network connectivity
Your machines have connectivity from your on-premises network or each of the other third-party cloud providers to Azure - either directly connected, via a proxy server or private endpoint. See the Network connectivity for Azure Arc-enabled servers section of this guide for design considerations and recommendations.
Environment preparation
- To deploy and configure the Azure Arc-enabled servers connected machine agent, an account with administrator or root privileges is required.
- To onboard machines, you have the required Azure permissions. See the Identity and access management for Azure Arc-enabled servers section of this guide for more identity and access related content.
Onboard Azure Arc-enabled servers
- Before onboarding machines, you've registered the Azure resource providers for Azure Arc-enabled servers.
- Decide how you'll install and configure the Azure connected machine agent across your fleet of servers. Typically, you'll deploy the agent using your organization's standard automation tools.
Virtual machine extensions
Determine which Azure capabilities you want to enable on your Azure Arc-enabled servers. Some capabilities require a VM extension to be installed on your server, which can be automated with Azure Policy.
Lifecycle automation
Create an operating system patch management strategy for Azure Arc-enabled servers.
Design recommendations
The following are general design recommendations for Azure Arc-enabled servers:
Environment preparation
- Create a dedicated resource group to include only Azure Arc-enabled servers and centralize management and monitoring of these resources.
- Evaluate and develop an IT-aligned tagging strategy that reduces the complexity of managing your Azure Arc-enabled servers and simplifies management decisions.
- Create a service principal to connect machines non-interactively using Azure PowerShell or from the Azure portal.
Onboard Azure Arc-enabled servers
One of your first tasks will be to onboard your fleet of servers and virtual machines to Azure. After generating an installation script, if you have only a few servers, run the script directly on your Windows or Linux machines. For larger fleets of servers, Azure offers several options to automate onboarding. We recommend creating a service principal and apply one of the following methods:
- Review and customize the predefined installation script for at-scale deployment of the connected machine agent to support your automated deployment requirements.
- Generate a PowerShell script using a service principal, and deploy via your organization's existing automation platform
- Connect machines using PowerShell remoting or PowerShell DSC
- Connect machines from Windows Admin Center
Afterwards, be sure to verify your connection to Azure Arc.
Virtual machine extensions
To simplify managing hybrid servers throughout their lifecycle, VM extensions can be deployed to Azure Arc-enabled servers from the Azure portal. Virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script in it, a VM extension can be used. Many VM extensions are supported for both Windows and Linux Azure Arc-enabled servers.
We recommend automating VM extension deployment at scale via Azure Policy to deploy extensions to your Azure Arc-enabled servers and regularly check policy compliance data to identify and remediate servers that don't have the agent installed.
Overview of steps:
- Create an initiative to deploy VM extensions at scale.
- Use a "DeployIfNotExists" policy effect to ensure the VM extensions get deployed automatically, as more servers are onboarded, and remediate any servers where the VM extensions have been removed.
- See the Security, governance and compliance for Azure Arc-enabled servers section for more details.
Lifecycle automation
After your servers are onboarded to Azure, we recommend that you enable patch management to simplify OS lifecycle management on your Azure Arc-enabled servers. Azure Update Manager allows you to view and schedule operating system updates and patches for your Azure Arc-enabled servers at scale. See Azure Update Manager overview for more information.
You can use the extension-based Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on Azure Arc-enabled servers.
Next steps
For more guidance for your hybrid cloud adoption journey, review the following resources:
- Review Azure Arc Jumpstart scenarios.
- Review the prerequisites for Azure Arc-enabled servers.
- Plan an at-scale deployment of Azure Arc-enabled servers.
- Review Azure Automation in a hybrid environment for Hybrid Runbook Worker feature of Azure Automation.
- Learn more about Azure Arc via the Azure Arc learning path.