Azure ARC is a new service from Microsoft announced at Ignite 2019. The service promises the ability to use the same Azure management tools to manage and monitor your on-prem workloads or even in another cloud. At present Azure ARC Machines is in preview and limited to Guest Configuration and Monitoring. That said, if you’ve ever read my blog before you already know you don’t need Azure ARC to use Azure Monitor for your on-prem workloads. Still I wanted to on board my VMs to Azure ARC and more specifically with Windows Admin Center. If you’re not using Windows Admin Center, you really should be, its amazing and completely free.
Enabling Azure ARC Preview
Because the service is in preview, you need to explicitly enable the service on your Azure subscription(s). You can do this in the Azure Portal and with PowerShell.
In Azure Portal
First, find “Machines – Azure Arc” in the portal. Then select Create Machine – Azure Arc.
Next, click Generate script
Now click on Register.
This will enable Hyrbid Compute and GuestConfiguration resource providers.
Enable via Powershell
If the Azure Portal isn’t your thing, here’s the Powershell way:
Connect-AzAccount Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration
If you miss this step, when you try to on board a machine to ARC, you will get this nice error.
Connect Windows Admin Center and Azure
In your Windows Admin Center(WAC), if you haven’t already registered Windows Admin Center with Azure you’ll be asked to do that, or you can do it separately under the Azure tab within WAC.
Follow the steps outlined here. Essentially you are creating a new Azure AD application for WAC to have permissions to your Azure environment.
Next you need to find the app in Azure AD, and grant the permissions.
Once done if you connect to any VM, under the Azure Hybrid Services tab, you’ll now see a bunch of Azure services available to you.
Setup Azure ARC with Windows Admin Center
For the purposes of this blog I created a brand new VM, arctest, and joined it to my lab domain. Once connected to a VM you can see the services available in this case we’re doing Arc for Servers.
Because these machines are going to be treated like Azure Resources, it will ask you what subscription and resource group you want to put the machines in.
In my experience it will take around 5 minutes per machine to setup. Once setup you get this screen here.
and the Azure Connected Machine Agent will be installed.
The reason I created a brand new VM in my lab is because all my other machines have already been using Azure Monitor. I wanted to see what would happen on a fresh machine. And if it would install the Microsoft Monitoring Agent, aka Log Analytics Agent. It did not. The Query and Analyze logs section above should be modified to make it clear that you haven’t connected the machine to Azure Monitor. Or that should be added as an optional step. Right now it implies that the machine is connected.
You can read about all the changes made to VMs that are on-boarded here.
Azure Management with Azure Arc
Once you’ve on-boarded all your machines. They’ll be in the Resource Group that was specified when joining them.
You can treat them as regular resources in Azure. They’re given a ResourceId, location, Resource Group, just like all your Azure native resources.
Which will also show up in Log Analytics Heartbeat table, once you’ve connected them to a Log Analytics workspace.
Management with Policy
Right now the most useful policies are in the Guest Configuration category.
Looking through them, I immediately found one I had to try out, which was the Initiative “Audit Windows VMs that are not set to the specified time zone” which contains two policies. I set it to Central time and sure enough it worked on my Arctest machine. I can’t tell you how many times thats thrown me off. “How is it only 10am, I already had lunch?”
At some point I would expect to see deployIfNotExist work as part of Azure Policy against Azure Arc servers. That would be really cool to be able to set an Azure Backup policy that automatically on boards your on-prem machines to Azure Recovery Services vaults for Azure Backup.
Improvements for Windows Admin Center and Azure Arc Machines
For me, Windows Admin Center exists because Microsoft recognizes that having every admin know PowerShell is unfeasible. *Gasp* I know, I know, I’m supposed to say “learn powershell or learn to ask if you want fries.” But its simply not true, which is part of the reason WAC exists in my opinion. It allows Admins to manage servers remotely without RDP, using more secure WinRM with Powershell behind the scenes. With all that said I would like to see a Select All or multi-select option to enable multiple machines for Azure Arc at once, instead of having to do it singularly. Yes I know there is a bulk add script, but again see above about Admins and Powershell. Its likely going to take someone not familiar with Powershell longer to get setup and figure that out than just “select all, add” would.
As mentioned above I would like to see the Log Analytics portion clarified and potentially add an optional step to on-board the machines to Log Analytics as well.
Other Azure Arc Content
Hi, I’m Billy York. I’m a Cloud and Datacenter Management MVP, specializing in monitoring and automation. Here you’ll find posts about AzureMonitor, LogAnalytics, System Center Operations Manager, Powershell, Hyper-V, Azure Automation, Azure Governance and other Microsoft related technologies.