Management and monitoring for Azure Arc-enabled servers

Azure Arc-enabled servers allow you to manage your Windows and Linux servers and virtual machines that are hosted outside of Azure, on your corporate network, or on a third-party cloud provider.

This article will help you operate Azure Arc-enabled servers on Azure enterprise estate, with centralized management and monitoring at the platform level. You will be presented with key recommendations for your operations team, to maintain Azure Arc-enabled servers.


The following diagram shows conceptual reference architecture that demonstrates how the Azure connected machine agent communicates with the different management and monitoring capabilities in Azure.

Diagram that shows Azure connected machine agent architecture.

Design considerations

Here are some general design considerations for Azure Arc-enabled servers monitoring and management:

  • Azure Monitor requirements: Azure Monitor can collect data directly from your Azure Arc-enabled servers into a Log Analytics workspace for detailed analysis and correlation. This will involve installing monitoring agents like the Log Analytics and dependency agents.
  • Azure Monitor agents deployment: Review the deployment options for the Azure Monitor agents.
  • Azure Monitor configuration: Plan your Azure Arc-enabled servers monitoring requirements, including metrics and log collection.
  • Azure connected machine agent management: The Azure connected machine agent plays a critical role in your hybrid operations. It enables you to manage your Windows and Linux machines hosted outside of Azure, and enforce governance policies. It's important to implement solutions that keep track of unresponsive agents, monitor for new versions, and automate the deployment of upgrades.
  • Patch management for your hybrid resources: Updates should be automated and installed in a timely manner, to make sure your Azure Arc-enabled servers have the latest operating system and security updates.

Design recommendations

Azure Monitor requirements

Azure Monitor agents deployment

  • The Azure Monitor agents should be automatically deployed to Azure Arc-enabled Windows and Linux servers, through Azure Policy, as part of the enterprise-scale landing zone.
  • Logs should be stored centrally on the Log Analytics workspace, a dedicated platform, and control log access with Azure role-based access control (RBAC). If there's a requirement for a separate workspace due to management, data sovereignty, or compliance requirements, using a separate workspace can affect the ability to have a single pane of glass and event correlation, on your Azure Arc-enabled servers across the environment.

Azure Monitor configuration

  • Use VM insights to analyze the performance of your Azure Arc-enabled Windows and Linux servers. Monitor their processes and dependencies on other resources and external processes.
  • Create dashboards or Azure Monitor workbooks, to track the relevant metrics and events across your Azure Arc-enabled servers. Samples of Log Analytics queries and VM insights can be found in this article.
  • Configure the needed performance counters for the Azure Arc-enabled Windows and Linux servers, on the dedicated Log Analytics workspace.
  • Configure the needed logs for the Azure Arc-enabled Windows and Linux servers, on the dedicated Log Analytics workspace.

Azure connected machine agent management

  • Monitor the health of the Azure connected machine agent, by creating a resource health alert, to keep track of Azure Arc-enabled servers not sending heartbeats.
  • Create an Azure Advisor alert, to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent.
  • Review the Azure connected machine agent upgrade methods. Automate the upgrade process of the agent, to have the latest fixes and features.
  • Understand how to upgrade virtual machine extensions, to keep other agents installed and managed by Azure Arc up to date.
  • Monitor this article for the latest releases, known issues, and bug fixes of the Azure connected machine agent.

Patch management for your hybrid resources

  • Use Azure Update Manager as a long-term patching mechanism for both Azure Arc-enabled Windows and Linux servers. This allows you to view and schedule operating system updates and patches for your Azure Arc-enabled servers at scale.
  • Azure Update Manager will also allow you to automate the Azure connected machine agent upgrades, via Windows updates on Azure Arc-enabled Windows servers.
  • If you have Azure Arc-enabled Windows Servers that have reached End of Support and cannot be migrated to Azure or upgraded, enable Extended Security Updates (ESUs) on those servers to keep getting critical and important security patches.

Next steps

For more guidance for your hybrid cloud adoption journey, review the following resources: