Automation disciplines for Azure Arc-enabled servers
Azure Arc-enabled servers allow you to manage your Windows and Linux servers and virtual machines that are hosted outside of Azure, on your corporate network, or on another cloud provider. This document is written to help plan for the automation of onboarding, patch management, and expansion of the capabilities of Azure Arc-enabled servers through VM extensions. The article presents key recommendations for operations teams to onboard and automate Azure Arc-enabled servers throughout their lifecycle.
Architecture
The following image shows a conceptual reference architecture that highlights the onboarding and automation design areas for Azure Arc-enabled servers:
Design considerations
The following are some design considerations before onboarding Azure Arc-enabled servers to Azure:
Review requirements
- Your machines run a supported operating system for the Azure connected machine agent.
- Your machines have the required software installed before deploying the Azure connected machine agent.
Network connectivity
Your machines have connectivity from your on-premises network or each of the other third-party cloud providers to Azure - either directly connected, via a proxy server or private endpoint. See the Network connectivity for Azure Arc-enabled servers section of this guide for design considerations and recommendations.
Environment preparation
- To deploy and configure the Azure Arc-enabled servers connected machine agent, an account with administrator or root privileges is required.
- To onboard machines, you have the required Azure permissions. See the Identity and access management for Azure Arc-enabled servers section of this guide for more identity and access related content.
Onboard Azure Arc-enabled servers
- Before onboarding machines, you've registered the Azure resource providers for Azure Arc-enabled servers.
- Decide how you'll install and configure the Azure connected machine agent across your fleet of servers. Typically, you'll deploy the agent using your organization's standard automation tools.
Virtual machine extensions
Determine which Azure capabilities you want to enable on your Azure Arc-enabled servers. Some capabilities require a VM extension to be installed on your server, which can be automated with Azure Policy.
Lifecycle automation
Create an operating system patch management strategy for Azure Arc-enabled servers.
Design recommendations
The following are general design recommendations for Azure Arc-enabled servers:
Environment preparation
- Create a dedicated resource group to include only Azure Arc-enabled servers and centralize management and monitoring of these resources.
- Evaluate and develop an IT-aligned tagging strategy that can help reduce the complexity of managing your Azure Arc-enabled servers and simplifies the process of making management decisions.
- Create a service principal to connect machines non-interactively using Azure PowerShell or from the Azure portal.
Onboard Azure Arc-enabled servers
One of your first tasks will be to onboard your fleet of servers and virtual machines to Azure. After generating an installation script, if you only have a few servers, you can opt to run the script directly from your Windows or Linux machines. For larger fleets of servers, there are several options available in Azure to automate the onboarding process. We recommended creating a service principal and apply one of the following methods:
- Review and customize the predefined installation script for at-scale deployment of the connected machine agent to support your automated deployment requirements.
- Generate a PowerShell script using a service principal, and deploy via your organizations existing automation platform
- Connect machines using PowerShell remoting or PowerShell DSC
- Connect machines from Windows Admin Center
Afterwards, be sure to verify your connection to Azure Arc.
Virtual machine extensions
To simplify the management of hybrid servers throughout their lifecycle, VM extensions can be deployed to Azure Arc-enabled servers from the Azure portal. Virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script in it, a VM extension can be used. Many VM extensions are supported for both Windows and Linux Azure Arc-enabled servers.
We recommended automating the deployment of VM extensions at scale via Azure Policy to automatically deploy extensions to your Azure Arc-enabled servers and regularly check the policy compliance data to identify and remediate servers that don't have the agent installed.
Overview of steps:
- Create an initiative to deploy VM extensions at scale.
- Use a "DeployIfNotExists" policy effect to ensure the VM extensions get deployed automatically, as more servers are onboarded, and remediate any servers where the VM extensions have been removed.
- More details on using policy with Azure Arc-enabled servers can be found in the Security, governance and compliance for Azure Arc-enabled servers section of this guide.
Lifecycle automation
After your servers are onboarded to Azure, we recommend that you enable patch management to simplify OS lifecycle management on your Azure Arc-enabled servers. Azure Update Manager allows you to view and schedule operating system updates and patches for your Azure Arc-enabled servers at scale. More information about Azure Update Manager can be found in Azure Update Manager overview.
You can use the User Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on Azure Arc-enabled servers.
Next steps
For more guidance for your hybrid cloud adoption journey, review the following resources:
- Review Azure Arc Jumpstart scenarios.
- Review the prerequisites for Azure Arc-enabled servers.
- Plan an at-scale deployment of Azure Arc-enable servers.
- Review Azure Automation in a hybrid environment for Hybrid Runbook Worker feature of Azure Automation.
- Learn more about Azure Arc via the Azure Arc learning path.