Azure Automation State Configuration Overview

Azure Automation State Configuration is an Azure service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC Resources, and assign configurations to target nodes, all in the cloud.

Why use Azure Automation State Configuration

Azure Automation State Configuration provides several advantages over using DSC outside of Azure.

Built-in pull server

Azure Automation State Configuration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes automatically receive configurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux machines, in the cloud or on-premises.

Management of all your DSC artifacts

Azure Automation State Configuration brings the same management layer to PowerShell Desired State Configuration as Azure Automation offers for PowerShell scripting.

From the Azure portal, or from PowerShell, you can manage all your DSC configurations, resources, and target nodes.

Screenshot of the Azure Automation page

Import reporting data into Log Analytics

Nodes that are managed with Azure Automation State Configuration send detailed reporting status data to the built-in pull server. You can configure Azure Automation State Configuration to send this data to your Log Analytics workspace. To learn how to send State Configuration status data to your Log Analytics workspace, see Forward Azure Automation State Configuration reporting data to Log Analytics.

Configure your network

The following port and URLs are required for State Configuration (DSC) to communicate with Automation:

  • Port: Only TCP 443 is required for outbound internet access.
  • Global URL: *.azure-automation.net
  • Global URL of US Gov Virginia: *.azure-automation.us
  • Agent service: https://<workspaceId>.agentsvc.azure-automation.net

It's recommended to use the addresses listed when defining exceptions. For IP addresses you can download the Microsoft Azure Datacenter IP Ranges. This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges.

If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. The following table provides the DNS record for each region:

Region DNS record
West Central US wcus-jobruntimedata-prod-su1.azure-automation.net
wcus-agentservice-prod-1.azure-automation.net
South Central US scus-jobruntimedata-prod-su1.azure-automation.net
scus-agentservice-prod-1.azure-automation.net
East US 2 eus2-jobruntimedata-prod-su1.azure-automation.net
eus2-agentservice-prod-1.azure-automation.net
Canada Central cc-jobruntimedata-prod-su1.azure-automation.net
cc-agentservice-prod-1.azure-automation.net
West Europe we-jobruntimedata-prod-su1.azure-automation.net
we-agentservice-prod-1.azure-automation.net
North Europe ne-jobruntimedata-prod-su1.azure-automation.net
ne-agentservice-prod-1.azure-automation.net
South East Asia sea-jobruntimedata-prod-su1.azure-automation.net
sea-agentservice-prod-1.azure-automation.net
Central India cid-jobruntimedata-prod-su1.azure-automation.net
cid-agentservice-prod-1.azure-automation.net
Japan East jpe-jobruntimedata-prod-su1.azure-automation.net
jpe-agentservice-prod-1.azure-automation.net
Australia South East ase-jobruntimedata-prod-su1.azure-automation.net
ase-agentservice-prod-1.azure-automation.net
UK South uks-jobruntimedata-prod-su1.azure-automation.net
uks-agentservice-prod-1.azure-automation.net
US Gov Virginia usge-jobruntimedata-prod-su1.azure-automation.us
usge-agentservice-prod-1.azure-automation.us

For a list of region IP addresses instead of region names, download the Azure Datacenter IP address XML file from the Microsoft Download Center.

Note

The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. The file includes compute, SQL, and storage ranges.

An updated file is posted weekly. The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.

It's a good idea to download the new XML file every week. Then, update your site to correctly identify services running in Azure. Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

Introduction video

Prefer watching to reading? Have a look at the following video from May 2015, when Azure Automation State Configuration was first announced.

Note

While the concepts and life cycle discussed in this video are correct, Azure Automation State Configuration has progressed a lot since this video was recorded. It is now generally available, has a much more extensive UI in the Azure portal, and supports many additional capabilities.

[!VIDEO https://channel9.msdn.com/Events/Ignite/2015/BRK3467/player]

Next steps