Azure Automation State Configuration Overview
Azure Automation State Configuration is an Azure service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC Resources, and assign configurations to target nodes, all in the cloud.
Why use Azure Automation State Configuration
Azure Automation State Configuration provides several advantages over using DSC outside of Azure.
Built-in pull server
Azure Automation State Configuration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes automatically receive configurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux machines, in the cloud or on-premises.
Management of all your DSC artifacts
Azure Automation State Configuration brings the same management layer to PowerShell Desired State Configuration as Azure Automation offers for PowerShell scripting.
From the Azure portal, or from PowerShell, you can manage all your DSC configurations, resources, and target nodes.
Import reporting data into Azure Monitor logs
Nodes that are managed with Azure Automation State Configuration send detailed reporting status data to the built-in pull server. You can configure Azure Automation State Configuration to send this data to your Log Analytics workspace. To learn how to send State Configuration status data to your Log Analytics workspace, see Forward Azure Automation State Configuration reporting data to Azure Monitor logs.
Please consider the following requirements when using Azure Automation State Configuration (DSC).
Operating System Requirements
For nodes running Windows, the following versions are supported:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
- Windows Server 2008 R2 SP1
- Windows 10
- Windows 8.1
- Windows 7
The Microsoft Hyper-V Server standalone product sku does not contain an implementation of Desired State Configuraion so it cannot be managed by PowerShell DSC or Azure Automation State Configuration.
For nodes running Linux, the following distros/versions are supported:
The DSC Linux extension supports all the Linux distributions endorsed on Azure except:
For all Linux nodes running in Azure, PowerShell DSC for Linux will be installed during onboarding.
Configure private networks
If your nodes are located within a private network, the following port and URLs are required for State Configuration (DSC) to communicate with Automation:
- Port: Only TCP 443 is required for outbound internet access.
- Global URL: *.azure-automation.net
- Global URL of US Gov Virginia: *.azure-automation.us
- Agent service: https://<workspaceId>.agentsvc.azure-automation.net
This provides network connectivity for the managed node to communicate with Azure Automation. If you are using DSC resources that communicate between nodes, such as the WaitFor* resources, you will also need to allow traffic between nodes. See the documentation for each DSC resource to understand those network requirements.
Proxy support for the DSC agent is available in Windows version 1809 and later. To configure this option, set the value for ProxyURL and ProxyCredential in the metaconfiguration script used to register nodes. Proxy is not available in DSC for previous versions of Windows.
For Linux nodes, the DSC agent supports proxy and will utilize the http_proxy variable to determine the url.
Azure State Configuration network ranges and namespace
It's recommended to use the addresses listed when defining exceptions. For IP addresses you can download the Microsoft Azure Datacenter IP Ranges. This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges.
If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. The following table provides the DNS record for each region:
|West Central US||wcus-jobruntimedata-prod-su1.azure-automation.net
|South Central US||scus-jobruntimedata-prod-su1.azure-automation.net
|East US 2||eus2-jobruntimedata-prod-su1.azure-automation.net
|South East Asia||sea-jobruntimedata-prod-su1.azure-automation.net
|Australia South East||ase-jobruntimedata-prod-su1.azure-automation.net
|US Gov Virginia||usge-jobruntimedata-prod-su1.azure-automation.us
For a list of region IP addresses instead of region names, download the Azure Datacenter IP address XML file from the Microsoft Download Center.
The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. The file includes compute, SQL, and storage ranges.
An updated file is posted weekly. The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.
It's a good idea to download the new XML file every week. Then, update your site to correctly identify services running in Azure. Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.
- To get started, see Getting started with Azure Automation State Configuration
- To learn how to onboard nodes, see Onboarding machines for management by Azure Automation State Configuration
- To learn about compiling DSC configurations so that you can assign them to target nodes, see Compiling configurations in Azure Automation State Configuration
- For PowerShell cmdlet reference, see Azure Automation State Configuration cmdlets
- For pricing information, see Azure Automation State Configuration pricing
- To see an example of using Azure Automation State Configuration in a continuous deployment pipeline, see Continuous Deployment Using Azure Automation State Configuration and Chocolatey