Automation disciplines for Azure Arc-enabled servers

Azure Arc-enabled servers allow you to manage your Windows and Linux servers and virtual machines that are hosted outside of Azure, on your corporate network, or on another cloud provider. This document is written to help plan for the automation of onboarding, patch management, and expansion of the capabilities of Azure Arc-enabled servers through VM extensions. The article presents key recommendations for operations teams to onboard and automate Azure Arc-enabled servers throughout their lifecycle.


The following image shows a conceptual reference architecture that highlights the onboarding and automation design areas for Azure Arc-enabled servers:

Diagram that shows Azure Arc-enabled data services, including Onboarding and V M extension integration.

Design considerations

The following are some design considerations before onboarding Azure Arc-enabled servers to Azure:

Review requirements

Network connectivity

Your machines have connectivity from your on-premises network or each of the other third-party cloud providers to Azure - either directly connected, via a proxy server or private endpoint. See the Network connectivity for Azure Arc-enabled servers section of this guide for design considerations and recommendations.

Environment preparation

Onboard Azure Arc-enabled servers

  • Before onboarding machines, you've registered the Azure resource providers for Azure Arc-enabled servers.
  • Decide how you'll install and configure the Azure connected machine agent across your fleet of servers. Typically, you'll deploy the agent using your organization's standard automation tools.

Virtual machine extensions

Determine which Azure capabilities you want to enable on your Azure Arc-enabled servers. Some capabilities require a VM extension to be installed on your server, which can be automated with Azure Policy.

Lifecycle automation

Create an operating system patch management strategy for Azure Arc-enabled servers.

Design recommendations

The following are general design recommendations for Azure Arc-enabled servers:

Environment preparation

  • Create a dedicated resource group to include only Azure Arc-enabled servers and centralize management and monitoring of these resources.
  • Evaluate and develop an IT-aligned tagging strategy that can help reduce the complexity of managing your Azure Arc-enabled servers and simplifies the process of making management decisions.
  • Create a service principal to connect machines non-interactively using Azure PowerShell or from the Azure portal.

Onboard Azure Arc-enabled servers

One of your first tasks will be to onboard your fleet of servers and virtual machines to Azure. After generating an installation script, if you only have a few servers, you can opt to run the script directly from your Windows or Linux machines. For larger fleets of servers, there are several options available in Azure to automate the onboarding process. We recommended creating a service principal and apply one of the following methods:

Afterwards, be sure to verify your connection to Azure Arc.

Virtual machine extensions

To simplify the management of hybrid servers throughout their lifecycle, VM extensions can be deployed to Azure Arc-enabled servers from the Azure portal. Virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script in it, a VM extension can be used. Many VM extensions are supported for both Windows and Linux Azure Arc-enabled servers.

We recommended automating the deployment of VM extensions at scale via Azure Policy to automatically deploy extensions to your Azure Arc-enabled servers and regularly check the policy compliance data to identify and remediate servers that don't have the agent installed.

Overview of steps:

Lifecycle automation

After your servers are onboarded to Azure, we recommend that you enable patch management to simplify OS lifecycle management on your Azure Arc-enabled servers. Azure Update Manager allows you to view and schedule operating system updates and patches for your Azure Arc-enabled servers at scale. More information about Azure Update Manager can be found in Azure Update Manager overview.

You can use the User Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on Azure Arc-enabled servers.

Next steps

For more guidance for your hybrid cloud adoption journey, review the following resources: