This is a continuation of series of articles on hosting
solutions and services on Azure public cloud with the most recent discussion on
Multitenancy here This article discusses Azure Arc enabled
servers.
Azure Arc-enabled servers expose hybrid inventory to Azure
management plane. The Windows and Linux
physical servers and virtual machines hosted outside of Azure, on the corporate
network or other clouds can become primary citizens as Azure resources when
they are Azure-Arc enabled.
When an Azure Arc enabled Server is connected, it gets a
resource ID to be included into a resource group. Standard Azure constructs
such as Azure Policy and applying tags are enabled.
These diverse machines are connected by installing the Azure
Connected Machine agent on each machine.
This agent does not deliver any functionality and it doesn’t replace the
Azure Log Analytics Agent or Azure Monitoring Agent. There are different
deployment methods to get this agent installed on those external servers.
The supported cloud operations include govern, protect, configure
and monitor. Governance is enabled with Azure Policy guest configurations to
audit settings inside the machine. Non-Azure servers can be protected with
Microsoft Defender for Endpoint and included through Microsoft Defender for
cloud for threat detection, vulnerability management, and monitoring potential
security threats. Microsoft Sentinel can be used for SIEM purposes. Configuration
is enabled with Azure Automation for frequent and time-consuming management
tasks. Configuration changes can be
assessed for installed software, Microsoft Services, Windows registry and
files, and Linux daemons using change tracking and inventory. Update management
can be used to update Windows and Linux servers. Post-deployment configuration
and automation tasks can be performed using Arc enabled servers VM extension.
Operating Systems performance can be monitored using VM insights. Other log
data such as performance data and events can be stored in a Log Analytics
workspace.
Instance Metadata information about the connected machines
is collected and stored in the region where the Azure Arc machine resource is
configured and includes details such as Operating system name and version,
Computer name, Computer fully qualified domain name and Connected Machine agent
version.
The status for a connected machine can be viewed in the
Azure Portal under Azure Arc -> Servers.
The connected machine agent sends a regular heartbeat
message from a machine and if it stops, it is assumed to be disconnected within
15 to 30 minutes. The machine identity’s credential is valid up to 90 days and
renewed every 45 days. Azure Arc-enabled servers has a limit for the number of instances
that can be created in each resource group, but it does not have any limits at
the subscription or service level.