Manage Azure Stack HCI-based virtualized workloads with Azure Arc
As described in the previous unit, Azure Arc expands the scope of a number of the Azure Resource Manager features to non-Azure servers running Windows or Linux, including Azure Stack HCI VMs. In some cases, it also enhances the capabilities of some of the hybrid Azure services that don't depend directly on Azure Arc. In this unit, you'll learn how you can benefit from these features and capabilities when managing Azure Stack HCI VMs.
What are the capabilities of Arc-enabled Azure Stack HCI VMs?
For any Arc-enabled server running Windows or Linux, including Azure Stack HCI VMs, you have access to the following settings directly from the Azure portal:
| Setting | Explanation |
|---|---|
| Overview | Provides basic information about the Azure resource and the corresponding Arc-enabled server, including status, location, subscription, computer name, operating system, and tags. |
| Activity log | Lists Azure Resource Manager-based changes affecting the state of the Azure resource representing the Arc-enabled server, including information identifying the initiator of that change. |
| Access control | Enables you to view, grant, and revoke permissions to perform management tasks on the Azure resource representing the Arc-enabled server. |
| Tags | Allow you to view, assign, and remove tags consisting of name/value pairs, which give you a mechanism to label and categorize the Azure resource representing the Arc-enabled server in an arbitrary manner. You can also use them to facilitate consolidated billing by applying tags that map to cost centers reflecting your charge-back policies. |
| Extensions | Allow you to automate configuration of the operating system and applications running within the Arc-enabled server by using VM extensions. |
| Locks | Allow you to prevent accidental changes or deletions of the Azure resource corresponding to the Arc-enabled server. |
| Policies | Allow you to audit operating system and application settings of the Arc-enabled server. |
| Update management | Allows you to implement automatic deployment and reporting of operating system updates on the Arc-enabled server. |
| Inventory | Allows you to implement inventory of the Arc-enabled server. |
| Change tracking | Allows you to implement change tracking the Arc-enabled server. |
| Insights | Allow you to use Azure Monitor to review the host central processing unit (CPU), disks, and the operating system state of the Arc-enabled server. |
| Logs | Allow you to collect and analyze logs generated by the operating system and applications on the Arc-enabled server. |
What are VM extensions?
VM extensions are lightweight software components that automate post-operating system deployment configuration and automation tasks. Traditionally, VM extensions were available only on Azure VMs, but now it's possible to use selected ones on Azure Arc-enabled servers. The following table describes the Windows Server extensions you can add to Azure Arc-enabled servers:
| Extension | Additional information |
|---|---|
| CustomScriptExtension | Executes a script on the target Arc-enabled server. |
| Log Analytics agent | Installs the Log Analytics agent on the target Arc-enabled server and configures it for log forwarding to a Log Analytics workspace. |
| Microsoft Dependency agent | Installs the Dependency agent on the target Arc-enabled server to facilitate identifying internal and external dependencies of server workloads. |
Note
The equivalent VM extensions are available for Arc-enabled servers running Linux.
What is the role of Azure Policy in managing Arc-enabled Azure Stack HCI VMs?
Azure Policy is a service that can help organizations to manage and evaluate the internal and regulatory compliance of their Arc-enabled servers, in addition to a wide range of Azure services. Azure Policy uses declarative rules based on properties of target resource types, including Windows and Linux operating systems. These rules form policy definitions, which administrators can apply through policy assignment to resource groups, subscriptions, or management groups that host Azure Arc-enabled servers. To simplify management of policy definitions, it's possible to combine multiple policies into initiatives, then create a few initiative assignments in lieu of multiple policy assignments.
Azure Policy supports auditing the state of Arc-enabled server with Guest Configuration policies. Guest Configuration policies do not apply configurations, but they audit settings within the target operating system and evaluate their compliance. You can, however, use Azure Policy to apply configuration of the Azure resource representing an Arc-enabled server. You can also use Azure Policy to deploy configurations by leveraging VM extensions.
For example, Contoso could use Azure Policy to implement the following rules:
- Assign a specific tag to resources representing Arc-enabled servers during their registration
- Identify Arc-enabled servers running Windows with Windows Defender Exploit Guard disabled
- Identify Arc-enabled servers running Windows that are not joined to a specific Active Directory Domain Services (AD DS) domain
- Identify Arc-enabled servers running Windows or Linux without Log Analytics agent installed
- Identify Arc-enabled servers running Linux that are not using SSH keys for authentication
Additional reading
You can learn more by visiting the following webpages:
- Virtual machine extension management with Azure Arc-enabled servers
- Azure Policy built-in definitions for Azure Arc for servers
- QuickStart: Create a policy assignment to identify non-compliant resources
Choose the best response for each of the following questions, then select Check your answers.