Azure Arc for dummies

Azure Arc is bridging the gap by connecting servers in other clouds than Azure and on-premises.

If services that are not Azure resources need to communicate with, for example, Microsoft Defender for Server, they must be Arc-enabled.

This can, for instance, be virtual servers in Amazon or Google Cloud.

An unknown notification

You may have noticed the notification that appeared in Notifications. In the October update KB5031364, the Azure Arc Setup feature was launched on all Windows Server 2022.

A notification then appeared in the Notification area on the server, asking to configure/connect the server to Azure Arc. Your first instinct might have been to dismiss it?

In this article, I will tell you a bit more about the service and how it can be used.

Key features and benefits

Implement consistent inventory, management, governance, and security for servers across your entire environment.

Configure Azure VM extensions to use Azure management services to monitor, secure, and update your servers.

Manage and govern Kubernetes clusters at scale.

Azure Arc-enabled data services

Get rapid provisioning, elastic scalability on demand, updating, high availability configuration, backup, recovery, and monitoring.

With Azure Arc, you can build and modernize cloud-native apps on any Kubernetes platform.

The solution allows you to incorporate Azure monitoring, security, and compliance into your DevOps toolkit.

Additionally, you can reduce errors using GitOps and policy-driven deployment and configuration across environments.

Why should you use Azure Arc?

With Azure Arc, you can manage servers, Kubernetes clusters, and databases from one place, regardless of where they are running.

This provides you with a consistent experience for management, monitoring, and security.

Azure Arc allows you to extend Azure services to environments outside of Azure. On-premises data centers, other cloud platforms, and edge servers are some examples of this.

This gives you the ability to use Azure tools and services where it makes sense.

You can use Azure Policy and Azure Security Center to enforce policies and security requirements across all your distributed resources.

This improves compliance and reduces the risk of misconfigurations. An example is the security baseline for the company’s on-premises servers.

These will also affect the overall Secure score for the subscription where the resources are placed.

Azure Monitor provides you with insights into performance, availability, and troubleshooting for all your resources in all your environments. You can also use Azure Log Analytics to collect and analyze log data from all sources.

Azure Arc gives you the ability to scale resources up or down as needed. This provides you with the flexibility to adapt to changing demands and workloads.

What do you need to install the Azure Connected Machine agent?

Prerequisites

• You need an Azure account with an active subscription.

• Administrator rights to install and configure the agent.

•  On Linux, you install and configure it using the root account. On Windows, you use an account that is a member of the Local Administrators group.

• Register the resource providers: Microsoft.HybridCompute, Microsoft.GuestConfiguration, and Microsoft.HybridConnectivity in your subscription.

Generate an installation script

1. Go to the Azure portal and search for Servers – Azure Arc.

2. Select “Add,” and then “Generate script.”

3. Specify the subscription, resource group, region, operating system, and connection method.

4. Download the script.

Install the agent

Run the script on the target machine. This downloads and installs the agent from the Microsoft Download Center.

The agent creates an Azure Arc-enabled server resource and connects it to the agent.

Locally on the machine where the agent is installed, you will be prompted to log in with a user who has sufficient rights in the subscription to add the agent.

Verify the connection with the service

Go back to the Azure portal and look for the created server resource under Servers – Azure Arc.

These are examples of on-premises servers (Windows Server 2022) that have had the Azure Connected Machine agent installed. It reports to the subscription where they are placed.

What does Azure Arc cost?

Many of the services in Azure Arc are free. This includes automation, simple configuration of Azure services within security, monitoring, and management.

Data stored in Log Analytics Workspaces, on the other hand, costs money. It is charged to the subscription where the data is sent and stored.

It is also possible to get extended security updates for Windows Server 2012 R2 and SQL Server 2012. These are services that are charged monthly per core managed.

Another option for Azure Arc resources is that they can be enabled with Defender for Servers (either Plan 1 or 2).

Defender for Servers is a paid service offered by Microsoft Defender for Cloud.

How is security handled in the Azure Arc Agent?

Azure role-based access control (RBAC) is used to control which accounts can view and manage your Azure Arc-enabled servers.

Be aware that users and applications with contributor or administrator roles can make changes to the resource. This includes deploying or deleting extensions on the machine.

Extensions can include arbitrary scripts running in a privileged context. Therefore, all contributors on the Azure resource should be considered indirect administrators of the server.

To manage the Azure Connected Machine agent (azcmagent) on Windows, your user account must be a member of the local administrators group.

On Linux, you must have root access.

The agent consists of three services running on the machine

• Hybrid Instance Metadata Service (himds): Responsible for the core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service, and retrieving Microsoft Entra tokens for authentication with other Azure services.

• Guest Configuration Service (GCService): Evaluates Azure Policy on the machine.

• Guest Configuration Extension Service (ExtensionService): Installs, upgrades, and deletes extensions (agents, scripts, or other software) on the machine.

• Local agent security controls

From agent version 1.16, you can optionally restrict which extensions can be installed on your server and disable Guest Configuration.

A service that helps you gain better insights

The benefits of Azure Arc in brief: The service gives you better visibility over all your servers, both within and outside of Azure.

By having the service enabled, you can have Azure-native environments directly connected to servers in non-Azure clouds and on-premises.

Being able to manage different servers in one place ensures that data is less likely to go astray.

Instead of being tempted to dismiss an “annoying” notification, streamline your server overview instead.