What is Azure Arc-enabled servers?
Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags. Service providers managing a customer's on-premises infrastructure can manage their hybrid machines, just like they do today with native Azure resources, across multiple customer environments using Azure Lighthouse.
To deliver this experience with your hybrid machines, you need to install the Azure Connected Machine agent on each machine. This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent. The Log Analytics agent for Windows and Linux is required when:
- You want to proactively monitor the OS and workloads running on the machine,
- Manage it using Automation runbooks or solutions like Update Management, or
- Use other Azure services like Microsoft Defender for Cloud.
Supported cloud operations
When you connect your machine to Azure Arc-enabled servers, it enables the ability for you to perform the following operational functions as described in the following table.
|Azure Policy||Assign Azure Policy guest configurations to audit settings inside the machine. To understand the cost of using Azure Policy Guest Configuration policies with Arc-enabled servers, see Azure Policy pricing guide|
|Microsoft Defender for Cloud||Protect non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, for vulnerability management, and to proactively monitor for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.|
|Microsoft Sentinel||Machines connected to Arc-enabled servers can be configured with Microsoft Sentinel to collect security-related events and correlate them with other data sources.|
|Azure Automation||Automate frequent and time-consuming management tasks using PowerShell and Python runbooks.
Assess configuration changes about installed software, Microsoft services, Windows registry and files, and Linux daemons using Change Tracking and Inventory.
Use Update Management to manage operating system updates for your Windows and Linux servers.
|Azure Automanage (preview)||Automate onboarding and configuration of a set of Azure services when you use Automanage Machine for Arc-enabled servers.|
|VM extensions||Provides post-deployment configuration and automation tasks using supported Arc-enabled servers VM extensions for your non-Azure Windows or Linux machine.|
|Azure Monitor||Monitor the connected machine guest operating system performance, and discover application components to monitor their processes and dependencies with other resources using VM insights. Collect other log data, such as performance data and events, from the operating system or workload(s) running on the machine with the Log Analytics agent. This data is stored in a Log Analytics workspace.|
At this time, enabling Azure Automation Update Management directly from an Azure Arc-enabled server is not supported. See Enable Update Management from your Automation account to understand requirements and how to enable for your server.
Log data collected and stored in a Log Analytics workspace from the hybrid machine now contains properties specific to the machine, such as a Resource ID, to support resource-context log access.
This service supports Azure Lighthouse, which lets service providers sign in to their own tenant to manage subscriptions and resource groups that customers have delegated.
To learn more about how Azure Arc-enabled servers can be used to implement Azure monitoring, security, and update services across hybrid and multicloud environments, see the following video.
For a definitive list of supported regions with Azure Arc-enabled servers, see the Azure products by region page.
In most cases, the location you select when you create the installation script should be the Azure region geographically closest to your machine's location. Data at rest is stored within the Azure geography containing the region you specify, which may also affect your choice of region if you have data residency requirements. If the Azure region your machine connects to is affected by an outage, the connected machine is not affected, but management operations using Azure may be unable to complete. If there is a regional outage, and if you have multiple locations that support a geographically redundant service, it is best to connect the machines in each location to a different Azure region.
The following metadata information about the connected machine is collected and stored in the region where the Azure Arc machine resource is configured:
- Operating system name and version
- Computer name
- Computer fully qualified domain name (FQDN)
- Connected Machine agent version
For example, if the machine is registered with Azure Arc in the East US region, this data is stored in the US region.
Azure Arc-enabled servers support the management of physical servers and virtual machines hosted outside of Azure. For specific details of which hybrid cloud environments hosting VMs are supported, see Connected Machine agent prerequisites.
Azure Arc-enabled servers is not designed or supported to enable management of virtual machines running in Azure.
The Connected Machine agent sends a regular heartbeat message to the service every 5 minutes. If the service stops receiving these heartbeat messages from a machine, that machine is considered offline and the status will automatically be changed to Disconnected in the portal within 15 to 30 minutes. Upon receiving a subsequent heartbeat message from the Connected Machine agent, its status will automatically be changed to Connected.
Azure Arc-enabled servers has a limit for the number of instances that can be created in each resource group. It does not have any limits at the subscription or service level. To learn about what resource type limits exist, see the Resource instance limit article.
Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review Connected Machine agent overview to understand requirements, technical details about the agent, and deployment methods.
Review the Planning and deployment guide to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.