The Arc of what is possible

One of the great things when working closely with Microsoft is getting access to private preview features and time with the engineering team. Part of the return is to be early testers and provide feedback on new functionality within Microsoft Azure. 

In May I was involved in a new feature being looked at as part of a Private Preview, at the time known as the "Azure Hybrid Agent" that enabled management of non-Azure Windows and Linux workloads to appear as ARM objects within the Azure portal. Being under NDA meant I couldn't talk about or discuss with customers but thankfully now it has been released as a public preview and falls under the banner of Azure Arc I can go through the value and capabilities it provides.

 What is Azure Arc?

Azure Arc extends Azure management capabilities to Linux and Windows servers, as well as Kubernetes clusters that are hosted on infrastructure across on-premises, multi-cloud and edge environments. It enables a consistent and unified approach to managing different environments using established capabilities such as Azure Resource Manager, Microsoft Azure Cloud Shell, Azure portal, API, and Microsoft Azure Policy. Azure Arc also makes it easier to implement cloud security across environments with centralized role-based access control and security policies.

For this article, I am going to focus on number 1 as the others are coming soon.

 What does it look like?

 Lets take another cool hybrid solution, Azure File Sync (will go into this solution in another post), we have a distributed environment and have a file server in 3 locations based on where the users are. 1 is server is an on-premises file server, 1 is a file server in AWS and the other is a file server in Azure.

 All 3 servers have the Azure Arc agent installed on them and are visible in the Azure portal within a resource group that I have defined. We can also see that there are some tags that have been defined, with the cloud location showing us where the server is located.

Now lets take a look at the AWS virtual machine, upon opening the ARM resource, we can see the familiar details like "Activity Log, IAM, Tags, Policies etc.) There are also other details like OS and agent versions here.

Now lets take a look at what we can do with Azure Policy. Guest configuration policies, that is part of Azure Policy, uses Desired State Configuration (DSC) modules to enable auditing within the virtual machines. Think of this as next-gen Group Policy and you get a fair idea of the capabilities it can provide.

Some of the things we can do is use these guest configurations to audit installed applications, pending reboots and members of the administrators group. Currently remediation of settings inside the VM isn't possible yet but this is coming and using the "DeployIfNotExist" effect will allow this to happen in the future.

Thinking ahead, what are the possibilities?

We have the ability to on-board Linux and Windows across Azure, on-premises and other cloud environments and have them appear in the Azure portal as ARM resources.

 So what is next? A couple of thoughts I have had and the direction it may take

•  Integration with Azure Bastion for RDP over HTTPS from the Azure portal for non-Azure virtual machines.
• Auto-Shutdown for non-Azure virtual machines.
• Billing metrics and Cost Management, where you can define figures for on-premises workloads.

I'm sure there are plenty more that others can think of and probably are already in the pipeline ;)