Azure Arc

Azure Arc

What is Azure Arc ?

Azure arc allows the management of Windows and linux servers present in the local network or a cloud operator. This management is identical to the management of native virtual machines. When connecting a hybrid machine to Azure, it is considered as an Azure resource. It is assigned a resource ID. In addition, it is part of a resource group within an Azure subscription. This allows it to be assigned tags.

However, it is necessary to install Azure Connected Machine on each machine that is to be connected to Azure. This agent does not provide monitoring and therefore does not replace the Log Analytics agent.

Supported scenarios

Different scenarios are supported by Azure Arc. With this functionnality, you can assign Azure Policy guest configurations with the same experience as an Azure virtual machine. Log data collected with the Log Analytics agent, this data is stored in the Log Analytics workspace

Prerequisites

The following prerequisites are required. It is necessary to check in the Microsoft documentation for a potential update.

  • Windows Server 2012 R2 and later
  • Ubuntu 16.04 et 18.04
  • CentOS Linux 7
  • SLES (SUSE Linux Enterprise Server) 15
  • Red Hat Enterprise Linux (RHEL) 7
  • Amazon Linux 7

The following URLs must be allowed in your firewall

  • management.azure.com
  • login.windows.net
  • dc.services.visualstudio.com
  • agentserviceapi.azure-automation.net
  • *-agentservice-prod-1.azure-automation.net
  • *.his.hybridcompute.azure-automation.net

Install agent on Windows Server

From the Azure portal, enter Arc on the search bar and click on Azure Arc.

Azure Arc

Click on Manage servers.

Manage Servers

Click on Add for add new server.

add Servers

click on Generate script. This script is used for add server on Azure Arc.

Generate script Azure Arc

Select the Azure subscription and the ressource group. The region has automatically configured. Select the desired Operating system and click on Next.

Generate script Azure Arc

Configure Tags if you want and click on Review + generate.

Generate script Azure Arc

Click on Download for download the script.

Download script Azure Arc

From the domain controller, open Active Directory Users and Computers console. On the properties of the server who agent will be installed, select

From Windows Server, open powershell prompt and run the script.

Install agent

From the server, open a web brownser and enter the URL : https://microsoft.com/devicelogin. Enter the code present on Powershell prompt.

Install Azure Arc agent

Click on Next and select the Azure account. If provider is not registered, you can use this URL : https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/templates/error-register-resource-provider#code-try-7

Install Azure Arc agent

The server appear on Azure ARC.

Server has present on Azure Arc

Create Azure Policy

From the Azure Arc console, click on the server previously added.

Server has present on Azure Arc

The propoerties of the server appear, click on Policies.

Properties added of Server added on Azure Arc

You can assign Policy or initiative. Initiative consist of a collection of policy definitions. Thus a set of strategies are grouped together in a single element.

Assign Initiative

Click on the button for select Initiative definition.

Select Initiative

Select the desired initiative. I have selected Audit Windows VMs in which the Administrators group does not contain only the specified members.

Select Initiative

Check that the Policy enforcement is configured to Enabled and click on Next.

Configure Initiative Azure ARC

Enter the parameters (Member) for me.

Configure Initiative Azure ARC

You can configure Remeiation and create Remediation task. Click on Create for create initiative.

Create Initiative Azure ARC

After few minutes, the result appear. We can see that there is servers non-compliant.

Azure policy server are not compliant

Click on Non-Compliant then on Non-compliant ressources. You can view all servers that is non-compliant.

Azure policy server are not compliant

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.