top of page

Azure Arc - Start Here

If you're looking for a basic, easy to follow guide to setup and use the Arc service in Azure, this is the page for you! Follow the steps below to associate a server with Azure Arc and apply a policy to it with Azure Policy.

What You'll Need

O.S. (of a VM you want to integrate with Arc)

  • Windows = 2012 R2+

  • Linux = 64bit (all major builds)

  • Ubuntu 16.04 / 18.04 LTS

  • CentOS Linux 7

  • SUSE Linux Enterprise Server 15

  • Red Hat Enterprise Linux 7

  • Amazon Linux 2

Permissions (Required to onboard to Arc)

  • 'Azure Connected Machine Onboarding' role + 'Azure Connected Machine Resource Administrator' role (to read, modify or delete a VM)

  • Note: Most admin accounts are assigned these roles by default

Firewall Requirements

  • The systems that you want to monitor have to be able to communicate with Arc/Azure

  • This is made possible using an agent, the agent talks over 443

Services you'll need in Azure

  • Azure subscription

  • Log Analytics Workspace (storage for the logs)

  • Azure Cloud Shell - so make sure that's setup first (storage mounted for PowerShell, small cost)

How to Setup

Register Azure Resource Providers

  • You're going to need to setup two things, Microsoft hybrid compute and guest configuations.

  • This is done via PowerShell (Azure Cloud Shell) by running the 3 commands below;

az account set --subscription subscription_name1

az provider register --namespace microsoft.hybridcompute

az provider register --namespace microsoft.guestconfiguration

Generate, Download and Run Scripts

  • You'll need separate scripts for Windows and Linux servers

  • Go to 'Azure Arc' in the Azure Portal (servers)

  • Click on 'add'

  • 'add servers using interactive script' 'generate script' (or you can use the 'at-scale' option)

  • Associate a subscription and Resource Group

  • Server details, region and O.S.

  • Tags for the script (if required)

  • Download and run script in PowerShell to deploy an agent

  • cd\folderwiththescriptinit

  • ./windowsonboardingscript.ps1

  • Note: You might need to 'Set Execution Policy' to run a .PS1

  • Authenticate - Enter code (You're siginign into the agent)

  • Check 'Connected' in Azure Arc in the Azure Portal

Using Azure Policy with Arc

  • Create a Log Analytics Workspace

  • Sub, RG, Name, Region, Price, 'PayG' (Per GiB), Tags

  • Create a Policy Assignment

  • 'Assignments', 'Assign a Policy'

  • Scope = Sub, Exclusions

  • Policy Definition = Definition Picker (~500 List of available definitions)

  • For example, 'Log Analytics agent should be installed on your Windows Azure Arc machines'

  • Assignment name/description

  • Enabled or Disabled (Policy enforcement)

  • Find non-complient machines

  • Policy

  • Assignments, non-compliant state VM names

Monitoring Virtual Machines

  • Again, requires a Log Analytics Workspace

  • Start collecting insights

  • Servers - Azure Arc (in Azure Portal)

  • Select one of the servers you have already onboarded/connected to Arc

  • Click on 'Insights' under 'Monitoring'

  • 'Enable' = Sub and Log Analytics Workspace (New or Existing)

  • Leave for 5-10 minutes to setup

What Insights Could I Get?

  1. Performance

  2. Interaction, Dependencies, Integrations, Mapping

  3. Health

  • Examples

  • Workbooks

  • Responsiveness

  • IPs for interactions (Ports in/out), Processes, RPC's, Terminal Services

  • Analysis / Dashboards - CPU, MB, IOPS

  • Malicious insights

bottom of page