您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用混合 Runbook 辅助角色使数据中心或云端的资源实现自动化Automate resources in your datacenter or cloud by using Hybrid Runbook Worker

Azure 自动化中的 Runbook 可能无法访问其他云或本地环境中的资源,因为它们在 Azure 云平台中运行。Runbooks in Azure Automation might not be able to access resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. 利用 Azure 自动化的混合 Runbook 辅助角色功能,既可以直接在托管角色的计算机上运行 Runbook,也可以对环境中的资源运行 Runbook,从而管理这些本地资源。You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the computer that's hosting the role and against resources in the environment to manage those local resources. Runbook 在 Azure 自动化中进行存储和管理,然后发送到一个或多个指定计算机。Runbooks are stored and managed in Azure Automation and then delivered to one or more designated computers.

下图说明了此功能:The following image illustrates this functionality:

混合 Runbook 辅助角色概述

每个混合 Runbook 辅助角色都是你在安装代理时指定的混合 Runbook 辅助角色组的成员。Each Hybrid Runbook Worker is a member of a Hybrid Runbook Worker group that you specify when you install the agent. 一个组可以包含一个代理,但是可以在一个组中安装多个代理,以实现高可用性。A group can include a single agent, but you can install multiple agents in a group for high availability.

在混合 Runbook 辅助角色中启动 Runbook 时,可以指定该辅助角色会在其中运行的组。When you start a runbook on a Hybrid Runbook Worker, you specify the group that it runs on. 组中的每个辅助角色都会轮询 Azure 自动化以查看是否有可用作业。Each worker in the group polls Azure Automation to see if any jobs are available. 如果作业可用,获取作业的第一个辅助角色将执行该作业。If a job is available, the first worker to get the job takes it. 不能指定特定的辅助角色。You can't specify a particular worker. 该作业限制适用于 Azure 沙盒和混合 Runbook 辅助角色。The job limits apply to both Azure sandboxes and Hybrid Runbook Workers.

安装混合 Runbook 辅助角色Install a Hybrid Runbook Worker

安装混合 Runbook 辅助角色的过程取决于 OS。The process to install a Hybrid Runbook Worker depends on the OS. 下表包含指向可用于安装的方法的链接。The following table contains links to the methods that you can use for the installation.

若要安装和配置 Windows 混合 Runbook 辅助角色,可使用两种方法。To install and configure a Windows Hybrid Runbook Worker, you can use two methods. 建议的方法是使用自动化 Runbook 来彻底实现配置 Windows 计算机过程的自动化。The recommended method is using an Automation runbook to completely automate the process of configuring a Windows computer. 第二种方法使用分步过程来手动安装和配置角色。The second method is following a step-by-step procedure to manually install and configure the role. 对于 Linux 计算机,运行 Python 脚本,在计算机上安装代理。For Linux machines, you run a Python script to install the agent on the machine.

操作系统OS 部署类型Deployment types
WindowsWindows PowerShellPowerShell
手动Manual
LinuxLinux PythonPython

备注

为了使用所需状态配置 (DSC) 管理支持混合 Runbook 辅助角色的服务器配置,需将其添加为 DSC 节点。To manage the configuration of your servers that support the Hybrid Runbook Worker role with Desired State Configuration (DSC), you need to add them as DSC nodes. 若要进一步了解如何载入它们以供 DSC 管理,请参阅载入由 Azure 自动化 DSC 管理的计算机For more information about onboarding them for management with DSC, see Onboarding machines for management by Azure Automation DSC.

如果启用更新管理解决方案,任何连接到 Azure Log Analytics 工作区的计算机将自动配置为混合 Runbook 辅助角色,以支持此解决方案中包括的 Runbook。If you enable the Update Management solution, any computer that's connected to your Azure Log Analytics workspace is automatically configured as a Hybrid Runbook Worker to support runbooks included in this solution. 但是,该计算机未注册到任何已在自动化帐户中定义的混合辅助角色组。However, the computer is not registered with any Hybrid Worker groups already defined in your Automation account. 只要将同一个帐户同时用于解决方案和混合 Runbook 辅助角色组成员身份,即可将该计算机添加到自动化帐户的混合 Runbook 辅助角色组,以支持自动化 Runbook。The computer can be added to a Hybrid Runbook Worker group in your Automation account to support Automation runbooks as long as you're using the same account for both the solution and the Hybrid Runbook Worker group membership. 此功能已添加到 7.2.12024.0 版本的混合 Runbook 辅助角色。This functionality has been added to version 7.2.12024.0 of Hybrid Runbook Worker.

开始部署混合 Runbook 辅助角色之前,请查看有关规划网络的信息Review the information for planning your network before you begin deploying a Hybrid Runbook Worker. 成功部署辅助角色后,请查看在混合 Runbook 辅助角色上运行 Runbook,了解如何配置 Runbook,使本地数据中心或其他云环境中的过程实现自动化。After you successfully deploy the worker, review Run runbooks on a Hybrid Runbook Worker to learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment.

删除混合 Runbook 辅助角色Remove a Hybrid Runbook Worker

可以从组中删除一个或多个混合 Runbook 辅助角色,或者根据要求删除该组。You can remove one or more Hybrid Runbook Workers from a group, or you can remove the group, depending on your requirements. 若要从本地计算机中删除混合 Runbook 辅助角色,请执行以下步骤:To remove a Hybrid Runbook Worker from an on-premises computer, perform the following steps:

  1. 在 Azure 门户中,转到自动化帐户。In the Azure portal, go to your Automation account.
  2. 在“设置”下,选择“密钥”并记下“URL”和“主访问密钥”的值。Under Settings, select Keys and note the values for URL and Primary Access Key. 下一步需要用到此信息。You need this information for the next step.

WindowsWindows

在管理员模式下打开 PowerShell 会话,并运行以下命令。Open a PowerShell session in Administrator mode and run the following command. 可使用 -Verbose 开关获取删除过程的详细日志。Use the -Verbose switch for a detailed log of the removal process.

Remove-HybridRunbookWorker -url <URL> -key <PrimaryAccessKey>

若要从混合辅助角色组中删除过时的计算机,请使用可选的 machineName 参数。To remove stale machines from your Hybrid Worker group, use the optional machineName parameter.

Remove-HybridRunbookWorker -url <URL> -key <PrimaryAccessKey> -machineName <ComputerName>

LinuxLinux

sudo python onboarding.py --deregister --endpoint="<URL>" --key="<PrimaryAccessKey>" --groupname="Example" --workspaceid="<workspaceId>"

备注

此代码不会从计算机中删除 Microsoft Monitoring Agent,而只会删除混合 Runbook 辅助角色的功能和配置。This code does not remove the Microsoft Monitoring Agent from the computer, only the functionality and configuration of the Hybrid Runbook Worker role.

删除混合辅助角色组Remove a Hybrid Worker group

要删除某个组,首先需要使用前面所示的过程,从每台计算机中删除属于该组的混合 Runbook 辅助角色。To remove a group, you first need to remove the Hybrid Runbook Worker from every computer that is a member of the group by using the procedure shown earlier. 然后,执行以下步骤删除该组:Then, perform the following steps to remove the group:

  1. 在 Azure 门户中打开自动化帐户。Open the Automation account in the Azure portal.
  2. 在“流程自动化”下选择“混合辅助角色组”。Under Process Automation, select Hybrid worker groups. 选择要删除的组。Select the group that you want to delete. 将显示该组的属性页。The properties page for that group appears.

    “属性”页

  3. 在所选组的属性页中,选择“删除”。On the properties page for the selected group, select Delete. 系统会显示一条消息,要求确认此操作。A message asks you to confirm this action. 如果确定要继续,请选择“是”。Select Yes if you're sure that you want to proceed.

    确认消息

    完成此过程可能需要数秒钟的时间。This process can take several seconds to finish. 可以在菜单中的“通知”下面跟踪操作进度。You can track its progress under Notifications from the menu.

配置网络Configure your network

混合辅助角色Hybrid Worker role

要使混合 Runbook 辅助角色连接并注册到 Log Analytics,必须让其有权访问此部分所述的端口号和 URL。For the Hybrid Runbook Worker to connect to and register with Log Analytics, it must have access to the port number and the URLs that are described in this section. 除了这些端口和 URL 以外,还需要有权访问 Microsoft Monitoring Agent 连接到 Log Analytics 时要使用的端口和 URLThis access is in addition to the ports and URLs required for Microsoft Monitoring Agent to connect to Log Analytics.

如果使用代理服务器在代理与 Log Analytics 服务之间通信,请确保能够访问相应的资源。If you use a proxy server for communication between the agent and the Log Analytics service, ensure that the appropriate resources are accessible. 如果使用防火墙来限制对 Internet 的访问,则必须将防火墙配置为允许访问。If you use a firewall to restrict access to the internet, you must configure your firewall to permit access. 如果将 OMS 网关用作代理,请确保为混合辅助角色配置 OMS 网关。If you use the OMS gateway as a proxy, ensure it is configured for hybrid workers. 有关如何执行此操作的说明,请参阅为自动化混合辅助角色配置 OMS 网关For instructions on how to do this, see Configure the OMS Gateway for Automation Hybrid Workers.

混合 Runbook 辅助角色与自动化通信时需要以下端口和 URL:The following port and URLs are required for the Hybrid Runbook Worker role to communicate with Automation:

  • 端口:只需使用 TCP 443 进行出站 Internet 访问。Port: Only TCP 443 is required for outbound internet access.
  • 全局 URL:*.azure-automation.netGlobal URL: *.azure-automation.net
  • 美国弗吉尼亚州政府的全局 URL:*.azure-automation.usGlobal URL of US Gov Virginia: *.azure-automation.us
  • 代理服务: https://<workspaceId>.agentsvc.azure-automation.netAgent service: https://<workspaceId>.agentsvc.azure-automation.net

建议在定义例外时使用列出的地址。It is recommended to use the addresses listed when defining exceptions. 对于 IP 地址,可以下载 Microsoft Azure 数据中心 IP 范围For IP addresses you can download the Microsoft Azure Datacenter IP Ranges. 此文件每周更新一次,反映当前已部署的范围和任何即将对 IP 范围进行的更改。This file is updated weekly, and reflects the currently deployed ranges and any upcoming changes to the IP ranges.

如果为特定的区域定义了自动化帐户,则可以限制与该区域数据中心之间的通信。If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. 下表提供了每个区域的 DNS 记录:The following table provides the DNS record for each region:

区域Region DNS 记录DNS record
美国中西部West Central US wcus-jobruntimedata-prod-su1.azure-automation.netwcus-jobruntimedata-prod-su1.azure-automation.net
wcus-agentservice-prod-1.azure-automation.netwcus-agentservice-prod-1.azure-automation.net
美国中南部South Central US scus-jobruntimedata-prod-su1.azure-automation.netscus-jobruntimedata-prod-su1.azure-automation.net
scus-agentservice-prod-1.azure-automation.netscus-agentservice-prod-1.azure-automation.net
美国东部 2East US 2 eus2-jobruntimedata-prod-su1.azure-automation.neteus2-jobruntimedata-prod-su1.azure-automation.net
eus2-agentservice-prod-1.azure-automation.neteus2-agentservice-prod-1.azure-automation.net
加拿大中部Canada Central cc-jobruntimedata-prod-su1.azure-automation.netcc-jobruntimedata-prod-su1.azure-automation.net
cc-agentservice-prod-1.azure-automation.netcc-agentservice-prod-1.azure-automation.net
西欧West Europe we-jobruntimedata-prod-su1.azure-automation.netwe-jobruntimedata-prod-su1.azure-automation.net
we-agentservice-prod-1.azure-automation.netwe-agentservice-prod-1.azure-automation.net
北欧North Europe ne-jobruntimedata-prod-su1.azure-automation.netne-jobruntimedata-prod-su1.azure-automation.net
ne-agentservice-prod-1.azure-automation.netne-agentservice-prod-1.azure-automation.net
东南亚South East Asia sea-jobruntimedata-prod-su1.azure-automation.netsea-jobruntimedata-prod-su1.azure-automation.net
sea-agentservice-prod-1.azure-automation.netsea-agentservice-prod-1.azure-automation.net
印度中部Central India cid-jobruntimedata-prod-su1.azure-automation.netcid-jobruntimedata-prod-su1.azure-automation.net
cid-agentservice-prod-1.azure-automation.netcid-agentservice-prod-1.azure-automation.net
日本东部Japan East jpe-jobruntimedata-prod-su1.azure-automation.netjpe-jobruntimedata-prod-su1.azure-automation.net
jpe-agentservice-prod-1.azure-automation.netjpe-agentservice-prod-1.azure-automation.net
澳大利亚东南部Australia South East ase-jobruntimedata-prod-su1.azure-automation.netase-jobruntimedata-prod-su1.azure-automation.net
ase-agentservice-prod-1.azure-automation.netase-agentservice-prod-1.azure-automation.net
英国南部UK South uks-jobruntimedata-prod-su1.azure-automation.netuks-jobruntimedata-prod-su1.azure-automation.net
uks-agentservice-prod-1.azure-automation.netuks-agentservice-prod-1.azure-automation.net
美国政府弗吉尼亚州US Gov Virginia usge-jobruntimedata-prod-su1.azure-automation.ususge-jobruntimedata-prod-su1.azure-automation.us
usge-agentservice-prod-1.azure-automation.ususge-agentservice-prod-1.azure-automation.us

有关区域 IP 地址列表(非区域名称列表),请从 Microsoft 下载中心下载 Azure 数据中心 IP 地址 XML 文件。For a list of region IP addresses instead of region names, download the Azure Datacenter IP address XML file from the Microsoft Download Center.

备注

Azure 数据中心 IP 地址 XML 文件列出了 Microsoft Azure 数据中心使用的 IP 地址范围。The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. 文件中包含计算、SQL 和存储范围。The file includes compute, SQL, and storage ranges.

每周都将发布更新的文件。An updated file is posted weekly. 该文件反映当前已部署的范围和任何即将对 IP 范围进行的更改。The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. 数据中心至少在一周后才会使用文件中显示的新范围。New ranges that appear in the file aren't used in the datacenters for at least one week.

建议每周下载新的 XML 文件。It's a good idea to download the new XML file every week. 然后,更新网站以正确地标识 Azure 中运行的服务。Then, update your site to correctly identify services running in Azure. Azure ExpressRoute 用户应注意,此文件过去经常在每个月的第一周更新 Azure 空间的边界网关协议 (BGP) 播发。Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

更新管理Update Management

除了混合 Runbook 辅助角色所需的标准地址和端口以外,更新管理还特别需要以下地址。In addition to the standard addresses and ports that the Hybrid Runbook Worker requires, the following addresses are required specifically for Update Management. 与这些地址的通信通过端口 443 完成。Communication to these addresses is done over port 443.

Azure PublicAzure Public Azure Government Azure Government
*.ods.opinsights.azure.com*.ods.opinsights.azure.com *.ods.opinsights.azure.us*.ods.opinsights.azure.us
*.oms.opinsights.azure.com*.oms.opinsights.azure.com *.oms.opinsights.azure.us*.oms.opinsights.azure.us
* .blob.core.windows.net*.blob.core.windows.net *.blob.core.usgovcloudapi.net*.blob.core.usgovcloudapi.net

故障排除Troubleshoot

若要了解如何对混合 Runbook 辅助角色进行故障排除,请参阅混合 Runbook 辅助角色的故障排除To learn how to troubleshoot your Hybrid Runbook Workers, see Troubleshooting Hybrid Runbook Workers

后续步骤Next steps

若要了解如何配置 Runbook,使本地数据中心或其他云环境中的过程自动化,请参阅在混合 Runbook 辅助角色上运行 RunbookTo learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment, see Run runbooks on a Hybrid Runbook Worker.