Azure – Extend Azure to your on-premises with ARC

As announced at the Microsoft Ignite 2019 Conference (see https://t.co/3saEyWJRta) you can now extend Azure Resource Manager (ARM) capabilities – including your Azure governance policies – to your on-premises servers with Azure ARC, as well as other cloud services.

By extending ARM outside of Azure, you will be able to see your servers on the Azure portal like any other Azure resources.

To start extending ARM and start using the ARM capabilities outside, logon to your Azure portal (https://portal.azure.com/) and search for Azure ARC

image_thumb

You will see 2 results:

  • Azure ARC
  • Machines – Azure ARC (which will list your registered ‘non Azure’ servers)

Select Azure ARC and start registering your servers; you can also register for the public preview for Kubernetes and other cloud services

image_thumb[1]

For this post, I’m going to register my servers by using the Manage servers option

image_thumb[2]

By hitting the Add or Create machine – Azure ARC buttons you will get to a blade to generate a PowerShell script for interactive/individual registration or you can use a scalable process for registering multiple servers at once.

NOTE you must create the resource group where you want to host your ARC servers before proceeding; there is no option to create the resource group

Interactive Script Onboarding

When selecting the interactive script option you have to fill few details like the operating system and/or proxy  service (if any)

image_thumb[3]

The Region option defines where the server metadata will be stored; there is no customer data (aka data hosted on the server) being saved.

Once you have completed the script creation wizard, you can copy and save the provided code to be executed on the servers in interactive mode, or use the Download button to save the PowerShell script itself directly.

As you will notice, the code is downloading a MSI package; the MSI package can be reused for the deployment at scale option (see below).

You can update little bit the code to define where to save the installation log file (installation.txt) and/or disable the logging.

As always when running PowerShell scripts on servers, it is recommended to use the Run As Administrator

image_thumb[4]

When running the PowerShell script you will get prompted to logon to the device authentication page and enter the provide code

image_thumb[6]  image_thumb[5]  image_thumb[7]  image_thumb[8]

If the device authentication process successes, you will see the message

level=info msg=”Successfully Onboarded Resource to Azure” VM Id=<machine ID>

image_thumb[9]

Then after few minutes, your registered server should be now listed within the Machine – Azure ARC

image_thumb[10]

From there you can then manage this server using Azure ARM to apply RBAC and compliance policies

image_thumb[11]

At Scale Onboarding

If you want to onboard a bunch of servers at once, it is preferable to use the Add machine at scale option

Doing so you need to create a Service Principal in Azure AD and then deploy the MSI package you have generated using the interactive script onboarding option or by using the below PowerShell command

For Windows OS: Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile AzureConnectedMachineAgent.msi

For Linux OS: wget https://aka.ms/azcmagent -O ~/Install_linux_azcmagent.sh

These packages are also available for download directly from Microsoft download website:

Let’s create the Service Principal (I’m using Azure Cloud Shell for simplification purpose)

NOTE do not change the name of the service principal

$sp = New-AzADServicePrincipal -DisplayName “Arc-for-servers” -Role “Azure Connected Machine Onboarding”

image_thumb[12]

Retrieve the service principal password

$credential = New-Object pscredential -ArgumentList “temp”, $sp.Secret
$credential.GetNetworkCredential().password

image_thumb[13]

NOTE you need to save the result as you will not be able to get it back

NOTE the secret created is valid for 1 year; see below if you need to change it and/or set a different expiration period

The Service Principal created can be access from the App registration blade and then searching for Arc, then just go to the Certificates & secret blade

image_thumb  image_thumb[1]

Now you can deploy the Azure ARC agent MSI package and then execute the PowerShell command to connect the agent to Azure ARC

PowerShell

& “$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe” connect –service-principal-id “{your spn appid}” –service-principal-secret “{your spn password}” –resource-group “{your resource group name}” –tenant-id “{your tenant id}” –location “{location where the server metadata will be saved}” –subscription-id “{your subscription id}”

Linux bash

azcmagent connect –service-principal-id “{your spn appid}” –service-principal-secret “{your spn password}” –resource-group “{your resource group name}” –tenant-id “{your tenant id}” –location “{location where the server metadata will be save}” –subscription-id “{your subscription id}”

If your server is not reporting and/or not showing as connected, you can check if the service Azure Hybrid Instance Metadata Service is running

image

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Book a Demo

Your Name (required)

Your Email (required)

Phone Number(Optional)

Ask a Question

Your Name (required)

Your Email (required)

Phone Number(Optional)

Your Message

Book Assessment

Evaluate your modern workplace security posture and validate it against current best practices with a Microsoft Secure Score Assessment, from cubesys

Your Name (required)

Your Email (required)

Phone Number(Optional)

Book your Windows Analytics Deployment

Your Name (required)

Your Email (required)

Phone Number(Optional)