This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses Azure Arc enabled servers.

Azure Arc-enabled servers expose hybrid inventory to Azure management plane.  The Windows and Linux physical servers and virtual machines hosted outside of Azure, on the corporate network or other clouds can become primary citizens as Azure resources when they are Azure-Arc enabled.

When an Azure Arc enabled Server is connected, it gets a resource ID to be included into a resource group. Standard Azure constructs such as Azure Policy and applying tags are enabled.

These diverse machines are connected by installing the Azure Connected Machine agent on each machine.  This agent does not deliver any functionality and it doesn’t replace the Azure Log Analytics Agent or Azure Monitoring Agent. There are different deployment methods to get this agent installed on those external servers.

The supported cloud operations include govern, protect, configure and monitor. Governance is enabled with Azure Policy guest configurations to audit settings inside the machine. Non-Azure servers can be protected with Microsoft Defender for Endpoint and included through Microsoft Defender for cloud for threat detection, vulnerability management, and monitoring potential security threats. Microsoft Sentinel can be used for SIEM purposes. Configuration is enabled with Azure Automation for frequent and time-consuming management tasks.  Configuration changes can be assessed for installed software, Microsoft Services, Windows registry and files, and Linux daemons using change tracking and inventory. Update management can be used to update Windows and Linux servers. Post-deployment configuration and automation tasks can be performed using Arc enabled servers VM extension. Operating Systems performance can be monitored using VM insights. Other log data such as performance data and events can be stored in a Log Analytics workspace.

Instance Metadata information about the connected machines is collected and stored in the region where the Azure Arc machine resource is configured and includes details such as Operating system name and version, Computer name, Computer fully qualified domain name and Connected Machine agent version.

The status for a connected machine can be viewed in the Azure Portal under Azure Arc -> Servers.

The connected machine agent sends a regular heartbeat message from a machine and if it stops, it is assumed to be disconnected within 15 to 30 minutes. The machine identity’s credential is valid up to 90 days and renewed every 45 days. Azure Arc-enabled servers has a limit for the number of instances that can be created in each resource group, but it does not have any limits at the subscription or service level.