What is Azure Arc for servers (preview)

Azure Arc for servers (preview) allows you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud provider, similarly to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID, is managed as part of a resource group inside a subscription, and benefits from standard Azure constructs such as Azure Policy and applying tags.

To deliver this experience with your hybrid machines hosted outside of Azure, the Azure Connected Machine agent needs to be installed on each machine that you plan on connecting to Azure. This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent. The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like Azure Security Center.

Note

This preview release is intended for evaluation purposes and we recommend you don't manage critical production machines.

Supported scenarios

Azure Arc for servers (preview) supports the following scenarios with connected machines:

  • Assign Azure Policy guest configurations using the same experience as policy assignment for Azure virtual machines.
  • Log data collected by the Log Analytics agent and stored in the Log Analytics workspace the machine is registered with now contains properties specific to the machine, such as Resource ID, which can be used to support resource-context log access.

Supported regions

With Azure Arc for servers (preview), only certain regions are supported:

  • WestUS2
  • WestEurope
  • WestAsia

In most cases, the location you select when you create the installation script should be the Azure region geographically closest to your machine's location. Data at rest will be stored within the Azure geography containing the region you specify, which may also affect your choice of region if you have data residency requirements. If the Azure region your machine is connected to is affected by an outage, the connected machine is not affected, but management operations using Azure may be unable to complete. For resilience in the event of a regional outage, if you have multiple locations which provide a geographically-redundant service, it is best to connect the machines in each location to a different Azure region.

Prerequisites

Supported operating systems

The following versions of the Windows and Linux operating system are officially supported for the Azure Connected Machine agent:

  • Windows Server 2012 R2 and higher (including Windows Server Core)
  • Ubuntu 16.04 and 18.04
  • CentOS Linux 7
  • SUSE Linux Enterprise Server (SLES) 15
  • Red Hat Enterprise Linux (RHEL) 7
  • Amazon Linux 7

Note

This preview release of the Connected Machine agent for Windows only supports Windows Server configured to use the English language.

Required permissions

  • To onboard machines, you are a member of the Azure Connected Machine Onboarding role.

  • To read, modify, re-onboard, and delete a machine, you are a member of the Azure Connected Machine Resource Administrator role.

Azure subscription and service limits

Before configuring your machines with Azure Arc for servers (preview), you should review the Azure Resource Manager subscription limits and resource group limits to plan for the number of machines to be connected.

TLS 1.2 protocol

To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.

Platform/Language Support More Information
Linux Linux distributions tend to rely on OpenSSL for TLS 1.2 support. Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows Server 2012 R2 and higher Supported, and enabled by default. To confirm that you are still using the default settings.

Networking Configuration

The Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. If the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration requirements.

If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. If you only allow the IP ranges or domain names required for the agent to communicate with the service, you must also allow access to the following Service Tags and URLs.

Service Tags:

  • AzureActiveDirectory
  • AzureTrafficManager

URLs:

Agent resource Description
management.azure.com Azure Resource Manager
login.windows.net Azure Active Directory
dc.services.visualstudio.com Application Insights
agentserviceapi.azure-automation.net Guest Configuration
*-agentservice-prod-1.azure-automation.net Guest Configuration
*.his.hybridcompute.azure-automation.net Hybrid Identity Service

For a list of IP addresses for each service tag/region, see the JSON file - Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. For more information, review Service tags.

The URLs in the previous table are required in addition to the Service Tag IP address range information because the majority of services do not currently have a Service Tag registration. As such, the IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.

Register Azure resource providers

Azure Arc for servers (preview) depends on the following Azure resource providers in your subscription in order to use this service:

  • Microsoft.HybridCompute
  • Microsoft.GuestConfiguration

If they are not registered, you can register them using the following commands:

Azure PowerShell:

Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

Azure CLI:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

You can also register the resource providers in the Azure portal by following the steps under Azure portal.

Connected Machine agent

You can download the Azure Connected Machine agent package for Windows and Linux from the locations listed below.

Note

During this preview, only one package has been released, which is suitable for Ubuntu 16.04 or 18.04.

The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. For more information, see here

Agent status

The Connected Machine agent sends a regular heartbeat message to the service every 5 minutes. If the service stops receiving these heartbeat messages from a machine, that machine is considered offline and the status will automatically be changed to Disconnected in the portal within 15 to 30 minutes. Upon receiving a subsequent heartbeat message from the Connected Machine agent, its status will automatically be changed to Connected.

Install and configure agent

Connecting machines in your hybrid environment directly with Azure can be accomplished using different methods depending on your requirements. The following table highlights each method to determine which works best for your organization.

Method Description
Interactively Manually install the agent on a single or small number of machines following the steps in Connect machines from Azure portal.
From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.
At scale Install and configure the agent for multiple machines following the Connect machines using a Service Principal.
This method creates a service principal to connect machines non-interactively.
At scale Install and configure the agent for multiple machines following the method Using Windows PowerShell DSC.
This method uses a service principal to connect machines non-interactively with PowerShell DSC.

Next steps