Manage hybrid infrastructure at scale with Azure Arc

Azure Lighthouse can help service providers use Azure Arc to manage customers' hybrid environments, with visibility across all managed Azure Active Directory (Azure AD) tenants.

Azure Arc helps simplify complex and distributed environments across on-premises, edge and multicloud, enabling deployment of Azure services anywhere and extending Azure management to any infrastructure.

With Azure Arc–enabled servers, customers can manage any Windows and Linux machines hosted outside of Azure on their corporate network, in the same way they manage native Azure virtual machines. By linking a hybrid machine to Azure, it becomes connected and is treated as a resource in Azure. Service providers can then manage these non-Azure machines along with their customers' Azure resources.

Azure Arc–enabled Kubernetes lets customers attach and configure Kubernetes clusters inside or outside of Azure. When a Kubernetes cluster is attached to Azure Arc, it will appear in the Azure portal, with an Azure Resource Manager ID and a managed identity. Clusters are attached to standard Azure subscriptions, are located in a resource group, and can receive tags just like any other Azure resource.

This topic provides an overview of how to use Azure Arc–enabled servers and Azure Arc–enabled Kubernetes in a scalable way across the customer tenants you manage.

Tip

Though we refer to service providers and customers in this topic, this guidance also applies to enterprises using Azure Lighthouse to manage multiple tenants.

Manage hybrid servers at scale with Azure Arc–enabled servers

As a service provider, you can manage on-premises Windows Server or Linux machines outside Azure that your customers have connected to their subscription using the Azure Connected Machine agent. When viewing resources for a delegated subscription in the Azure portal, you'll see these connected machines labeled with Azure Arc.

You can manage these connected machines using Azure constructs, such as Azure Policy and tagging, the same way that you’d manage the customer's Azure resources. You can also work across customer tenants to manage all connected hybrid machines together.

For example, you can ensure the same set of policies are applied across customers' hybrid machines. You can also use Azure Security Center to monitor compliance across all of your customers' hybrid environments, or use Azure Monitor to collect data directly from hybrid machines into a Log Analytics workspace. Virtual machine extensions can be deployed to non-Azure Windows and Linux VMs, simplifying management of customer's hybrid machines.

Manage hybrid Kubernetes clusters at scale with Azure Arc–enabled Kubernetes

You can manage Kubernetes clusters that have been connected to a customer's subscription with Azure Arc, just as if they were running in Azure.

If your customer has created a service principal account to onboard Kubernetes clusters to Azure Arc, you can access this account so that you can onboard and manage clusters. To do so, a user in the managing tenant must have been granted the "Kubernetes Cluster - Azure Arc Onboarding" Azure built-in role when the subscription containing the service principal account was onboarded to Azure Lighthouse.

You can deploy configurations and Helm charts using GitOps for connected clusters.

You can also monitor connected clusters with Azure Monitor, and use Azure Policy to apply cluster configurations at scale.

Next steps