Manage all your resources with Azure Arc

With the actual IT environments, combining on-premises with different clouds and becoming multi cloud to assure continuity, as well as the best option and budget on the different products offered, we could get lost on having visibility, management and monitoring of all the workloads, it could be a nightmare to have many dashboards. There is where Azure ARC comes as a tool to have a single pane of glass for all the workloads. Azure Arc acts as a bridge, connecting Azure’s robust platform with various infrastructures. This provides you with the flexibility to operate applications and services across datacenters, at the edge, and in multi-cloud environments, all while maintaining centralized control.

?

Azure Arc provides a centralized, unified way to:

• Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
• Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
• Use familiar Azure services and management capabilities, regardless of where your resources live.
• Continue using traditional ITOps while introducing DevOps practices to support new cloud native patterns in your environment.
• Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters and cluster extensions.

?

?

?

Currently, Azure Arc allows you to manage the following resource types hosted outside of Azure:

• Servers?and virtual machines: Manage Windows and Linux physical servers and virtual machines hosted outside of Azure. Provision, resize, delete, and manage virtual machines based on?Azure Local?and on?VMware vCenter?or?System Center Virtual Machine Manager?managed on-premises environments.
• Kubernetes clusters: Attach and configure Kubernetes clusters running anywhere, with multiple supported distributions.
• Azure data services: Run Azure data services on-premises, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. SQL Managed Instance and PostgreSQL (preview) services are currently available.
• SQL Server: Extend Azure services to SQL Server instances hosted outside of Azure.

?

As of Pricing associated, we have the following Azure Arc control plane functionality is offered at no extra cost:

• Resource organization through Azure management groups and tags
• Searching and indexing through Azure Resource Graph
• Access and security through Azure Role-based access control (RBAC)
• Environments and automation through templates and extensions

?

The following Azure Arc-enabled VMware vSphere and System Center Virtual Machine Manager (SCVMM) capabilities are offered at no extra cost:

• All the Azure Arc control plane functionalities that are offered at no extra cost with Azure Arc-enabled servers.
• Discovery and single pane of glass inventory view of your VMware vCenter and SCVMM managed estate (VMs, templates, networks, datastores, clouds/clusters/hosts/resource pools).
• Lifecycle (create, resize, update, and delete) and power cycle (start, stop, and restart) operations of VMs, including the ability to delegate self-service access for these operations using Azure role-based access control (RBAC).
• Management of VMs using Azure portal, CLI, REST APIs, SDKs, and automation through Infrastructure as Code (IaC) templates such as ARM, Terraform, and Bicep.

?

Any Azure service that is used on Azure Arc-enabled equipment (servers, VMware vSphere and SCVMM VMs), such as Microsoft Defender for Cloud or Azure Monitor, will be charged as per the pricing for that service.

?

For the official documentation, we can go to:

Azure Arc overview

https://learn.microsoft.com/en-us/azure/azure-arc/overview

?

?

Azure Arc offers different services based on your existing IT infrastructure and management needs.

Before onboarding your resources to Azure Arc-enabled servers, you should investigate the different Azure Arc offerings to determine which best suits your requirements. Choosing the right Azure Arc service provides the best possible inventorying and management of your resources.

?

There are several different ways you can connect your existing Windows and Linux machines to Azure Arc:

• Azure Arc-enabled servers
• Azure Arc-enabled VMware vSphere
• Azure Arc-enabled System Center Virtual Machine Manager (SCVMM)
• Azure Local

Each of these services extends the Azure control plane to your existing infrastructure and enables the use of?Azure security, governance, and management capabilities using the Connected Machine agent. Other services besides Azure Arc-enabled servers also use an?Azure Arc resource bridge, a part of the core Azure Arc platform that provides self-servicing and additional management capabilities.

?

If you're unsure about which services to use, you can start with Azure Arc-enabled servers and add a resource bridge for additional management capabilities later. Azure Arc-enabled servers allow you to connect servers containing all of the types of VMs supported by the other services and provides a wide range of capabilities such as Azure Policy and monitoring, while adding resource bridge can extend additional capabilities.

?

For the details and official documentation, we can go to:

Choosing the right Azure Arc service for machines

https://learn.microsoft.com/en-us/azure/azure-arc/choose-service

?

Protect your investment with Microsoft Defender

?

Once you have your workloads “Arc enabled”, many cloud services are available for them, like Microsoft Defender for Cloud.

A machine that has Azure Arc-enabled servers becomes an Azure resource. When you install the Log Analytics agent on it, it appears in Defender for Cloud with recommendations, like your other Azure resources.

?Azure Arc-enabled servers provide enhanced capabilities, such as enabling guest configuration policies on the machine and simplifying deployment with other Azure services.

?After you connect Defender for Cloud to your Azure subscription, select Direct onboarding in the Environment Settings of the Defender for Cloud to directly enable Defender for Cloud on your on-premises machines.

Defender for Cloud collects data from your non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Some Defender plans require monitoring components to collect data from your workloads.

Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection.

To ensure your servers are secured, receive all the security content of Defender for Servers, verify Defender for Endpoint (MDE) integration and agentless disk scanning are enabled on your subscriptions. This ensures you'll seamlessly be up to date and receive all the alternative deliverables once they're provided.

?

For the full documentation, we can go to:

Connect your non-Azure machines to Microsoft Defender for Cloud

https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines

?

Manage Updates and patches with Azure Update Manager.

?

Update Manager is a unified service to help manage and govern updates for all your machines (running a server operating system). You can monitor Windows and Linux update compliance across your machines in Azure, and on-premises or other cloud environments (connected by Azure Arc) from a single pane of management. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.

?

You can use Update Manager for:

• Unified Update Management
• Flexible patching options.
• Security and Compliance tracking
• Periodic update Assessments?
• Custom Reporting and Alerts
• Granular Access Control
• Software updates.
• Patching diverse resources

These features make Azure Update Manager a powerful tool for maintaining the security and performance of your IT infrastructure.

Update Manager assesses and applies updates to all Azure machines and Azure Arc-enabled servers for both Windows and Linux.

?

When an Azure Update Manager operation (AUM) is enabled or triggered on your Azure or Arc-enabled server, AUM installs an Azure extension or Arc-enabled servers' extensions respectively on your machine to manage the updates.

?The extension is automatically installed on your machine when you initiate any Update Manager operation on your machine for the first time, such as?Check for updates,?install one-time update, Periodic Assessment or when scheduled update deployment runs on your machine for the first time.

?Customer doesn't have to explicitly install the extension and its lifecycle as it is managed by Azure Update Manager including installation and configuration. The Update Manager extension is installed and managed by using the agents, which are required for Update Manager to work on your machines:

?

For the full documentation, we can go to these links:

?About Azure Update Manager

https://learn.microsoft.com/en-us/azure/update-manager/overview

How Update Manager works

https://learn.microsoft.com/en-us/azure/update-manager/workflow-update-manager?tabs=azure-vms%2Cupdate-win

?

And we can see a demo in this link:

Azure Arc Update Management

https://learn.microsoft.com/en-us/shows/it-ops-talk/azure-arc-update-management

?

Are you interested already?

You can get detailed instructions for different scenarios as well as videos of demos on this link:

Azure Arc Jumpstart

https://jumpstart.azure.com/

?

For the official page of Azure Arc, we can go to:

Azure Arc

https://azure.microsoft.com/en-us/products/azure-arc

?

And for the full documentation, we can go:

Azure Arc documentation

https://learn.microsoft.com/en-us/azure/azure-arc/

?

?

?Thanks for reading and I hope it is helpful for you.

Your comments are appreciated.

Mariano Carro Arrubarrena.

#cloudcapsules