您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将混合计算机大规模连接到 AzureConnect hybrid machines to Azure at scale

用户可以根据自己的需求,使用多个灵活的选项,为环境中的多个 Windows 或 Linux 计算机启用已启用 Azure Arc 的服务器。You can enable Azure Arc enabled servers for multiple Windows or Linux machines in your environment with several flexible options depending on your requirements. 使用我们提供的模板脚本,可以自动完成每个安装步骤,包括与 Azure Arc 建立连接。但是,必须使用在目标计算机和 Azure 中拥有提升权限的帐户以交互方式执行此脚本。Using the template script we provide, you can automate every step of the installation, including establishing the connection to Azure Arc. However, you are required to interactively execute this script with an account that has elevated permissions on the target machine and in Azure.

如果要将计算机连接到已启用 Azure Arc 的服务器,可以使用 Azure Active Directory 服务主体,而不要使用特权身份以交互方式连接计算机To connect the machines to Azure Arc enabled servers, you can use an Azure Active Directory service principal instead of using your privileged identity to interactively connect the machine. 服务主体是一种特殊的受限管理标识,它只被授予了使用 azcmagent 命令将计算机连接到 Azure 所需的最低权限。A service principal is a special limited management identity that is granted only the minimum permission necessary to connect machines to Azure using the azcmagent command. 这比使用较高特权的帐户(例如租户管理员)更安全,并且可以遵循我们的访问控制安全性最佳做法。This is safer than using a higher privileged account like a Tenant Administrator, and follows our access control security best practices. 服务主体只会在加入期间使用,不会用于任何其他目的。The service principal is used only during onboarding, it is not used for any other purpose.

安装和配置 Connected Machine 代理的安装方法要求你在计算机上拥有管理员权限。The installation methods to install and configure the Connected Machine agent requires that the automated method you use has administrator permissions on the machines. 在 Linux 上,需使用 root 帐户;在 Windows 上,需要以“本地管理员组”的成员身份使用这些方法。On Linux, by using the root account and on Windows, as a member of the Local Administrators group.

在开始之前,请务必查看先决条件,并验证你的订阅和资源是否符合要求。Before you get started, be sure to review the prerequisites and verify that your subscription and resources meet the requirements. 有关支持的区域和其他相关注意事项的信息,请参阅支持的 Azure 区域For information about supported regions and other related considerations, see supported Azure regions. 另请查看我们的《大规模规划指南》,以了解设计和部署标准,以及我们的管理和监视建议。Also review our at-scale planning guide to understand the design and deployment criteria, as well as our management and monitoring recommendations.

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

创建服务主体以用于大规模加入Create a Service Principal for onboarding at scale

可以在 Azure PowerShell 中使用 New-AzADServicePrincipal cmdlet 创建服务主体。You can use Azure PowerShell to create a service principal with the New-AzADServicePrincipal cmdlet. 或者,可以按照使用 Azure 门户创建服务主体中列出的步骤完成此任务。Or you can follow the steps listed under Create a Service Principal using the Azure portal to complete this task.

备注

创建服务主体之前,用户的帐户必须是要用于加入的订阅中的“所有者”或“用户访问管理员”角色的成员。 Before you create a service principal, your account must be a member of the Owner or User Access Administrator role in the subscription that you want to use for onboarding. 如果没有足够的权限配置角色分配,则可能会创建服务主体,但它将无法加入计算机。If you don't have sufficient permissions to configure role assignments, the service principal might be created, but it won't be able to onboard machines.

如果要使用 PowerShell 创建服务主体,请执行以下步骤。To create the service principal using PowerShell, perform the following steps.

  1. 运行以下命令。Run the following command. 必须在变量中存储 New-AzADServicePrincipal cmdlet 的输出,否则无法检索需要在后续步骤中使用的密码。You must store the output of the New-AzADServicePrincipal cmdlet in a variable, or you will not be able to retrieve the password needed in a later step.

    $sp = New-AzADServicePrincipal -DisplayName "Arc-for-servers" -Role "Azure Connected Machine Onboarding"
    $sp
    
    Secret                : System.Security.SecureString
    ServicePrincipalNames : {ad9bcd79-be9c-45ab-abd8-80ca1654a7d1, https://Arc-for-servers}
    ApplicationId         : ad9bcd79-be9c-45ab-abd8-80ca1654a7d1
    ObjectType            : ServicePrincipal
    DisplayName           : Hybrid-RP
    Id                    : 5be92c87-01c4-42f5-bade-c1c10af87758
    Type                  :
    
  2. 若要检索 $sp 变量中存储的密码,请运行以下命令:To retrieve the password stored in the $sp variable, run the following command:

    $credential = New-Object pscredential -ArgumentList "temp", $sp.Secret
    $credential.GetNetworkCredential().password
    
  3. 在输出中,找到并复制 password 字段下的密码值。In the output, find the password value under the field password and copy it. 另外,还请找到并复制 ApplicationId 字段下的值。Also find the value under the field ApplicationId and copy it also. 请在安全的位置保存这些值,供稍后使用。Save them for later in a secure place. 如果忘记或丢失了服务主体密码,可以使用 New-AzADSpCredential cmdlet 重置它。If you forget or lose your service principal password, you can reset it using the New-AzADSpCredential cmdlet.

以下属性中的值将与传递给 azcmagent 的参数配合使用:The values from the following properties are used with parameters passed to the azcmagent:

  • ApplicationId 属性中的值用作 --service-principal-id 参数值The value from the ApplicationId property is used for the --service-principal-id parameter value
  • password 属性中的值用作连接代理时所用的 --service-principal-secret 参数。The value from the password property is used for the --service-principal-secret parameter used to connect the agent.

备注

请确保使用服务主体 ApplicationId 属性,而不是 Id 属性。Make sure to use the service principal ApplicationId property, not the Id property.

“Azure Connected Machine 加入”角色只包含加入计算机时所需的权限。The Azure Connected Machine Onboarding role contains only the permissions required to onboard a machine. 可以分配服务主体权限,以允许其范围包含资源组或订阅。You can assign the service principal permission to allow its scope to include a resource group or a subscription. 如果要添加角色分配,请参阅“使用 Azure 门户分配 Azure 角色”或“使用 Azure CLI 分配 Azure 角色”。To add role assignment, see Assign Azure roles using the Azure portal or Assign Azure roles using Azure CLI.

从 Azure 门户生成安装脚本Generate the installation script from the Azure portal

Azure 门户中提供了用于自动下载和安装以及与 Azure Arc 建立连接的脚本。The script to automate the download and installation, and to establish the connection with Azure Arc, is available from the Azure portal. 如果要完成该过程,请执行以下步骤:To complete the process, do the following steps:

  1. 在浏览器中转到 Azure 门户From your browser, go to the Azure portal.

  2. 在“服务器 - Azure Arc”页上,选择左上角的“添加” 。On the Servers - Azure Arc page, select Add at the upper left.

  3. 在“选择方法”页上,选择“添加多个服务器”磁贴,然后选择“生成脚本” 。On the Select a method page, select the Add multiple servers tile, and then select Generate script.

  4. 在“生成脚本”页上,选择你要在 Azure 中管理的计算机所在的订阅和资源组。On the Generate script page, select the subscription and resource group where you want the machine to be managed within Azure. 选择要将计算机元数据存储到的 Azure 位置。Select an Azure location where the machine metadata will be stored. 此位置可以与资源组的位置相同或不同。This location can be the same or different, as the resource group's location.

  5. 在“先决条件”页上查看信息,然后选择“下一页: 资源详细信息”。On the Prerequisites page, review the information and then select Next: Resource details.

  6. 在“资源详细信息”页上,提供以下内容:On the Resource details page, provide the following:

    1. 在“资源组”下拉列表中,选择要从中管理计算机的资源组。In the Resource group drop-down list, select the resource group the machine will be managed from.
    2. 在“区域”下拉列表中,选择用于存储服务器元数据的 Azure 区域。In the Region drop-down list, select the Azure region to store the servers metadata.
    3. 在“操作系统”下拉列表中,选择脚本配置为要在其上运行的操作系统。In the Operating system drop-down list, select the operating system that the script is configured to run on.
    4. 如果计算机是通过代理服务器连接到 Internet 进行通信的,请指定计算机用来与代理服务器通信的代理服务器 IP 地址或名称以及端口号。If the machine is communicating through a proxy server to connect to the internet, specify the proxy server IP address or the name and port number that the machine will use to communicate with the proxy server. 按格式 http://<proxyURL>:<proxyport> 输入值。Enter the value in the format http://<proxyURL>:<proxyport>.
    5. 选择“下一步: 身份验证”。Select Next: Authentication.
  7. 在“身份验证”页上的“服务主体”下拉列表下,选择“Arc-for-servers”。 On the Authentication page, under the service principal drop-down list, select Arc-for-servers. 然后,选择“下一步: 标签”。Then select, Next: Tags.

  8. 在“标记”页上,查看建议的默认“物理位置标记”并输入值,或指定一个或多个“自定义标记”以支持你的标准 。On the Tags page, review the default Physical location tags suggested and enter a value, or specify one or more Custom tags to support your standards.

  9. 在完成时选择“下一步:下载并运行脚本。Select Next: Download and run script.

  10. 在“下载并运行脚本”页上查看摘要信息,然后选择“下载” 。On the Download and run script page, review the summary information, and then select Download. 如果仍需进行更改,请选择“上一页”。If you still need to make changes, select Previous.

对于 Windows,系统会提示用户将 OnboardingScript.ps1 保存到计算机,对于 Linux,则提示将 OnboardingScript.sh 保存到计算机。For Windows, you are prompted to save OnboardingScript.ps1, and for Linux OnboardingScript.sh to your computer.

安装代理并连接到 AzureInstall the agent and connect to Azure

使用先前创建的脚本模板,可以使用组织首选的自动化工具在多台混合 Linux 和 Windows 计算机上安装和配置 Connected Machine 代理。Taking the script template created earlier, you can install and configure the Connected Machine agent on multiple hybrid Linux and Windows machines using your organizations preferred automation tool. 此脚本执行“从 Azure 门户将混合计算机连接到 Azure”文章中所述的类似步骤。The script performs similar steps described in the Connect hybrid machines to Azure from the Azure portal article. 不同之处在于,最后一步是通过 azcmagent 命令使用服务主体与 Azure Arc 建立连接。The difference is in the final step, where you establish the connection to Azure Arc using the azcmagent command using the service principal.

下面是配置用于服务主体的 azcmagent 命令时需要指定的设置。The following are the settings that you configure the azcmagent command to use for the service principal.

  • service-principal-id:唯一标识符 (GUID),表示服务主体的应用程序 ID。service-principal-id : The unique identifier (GUID) that represents the application ID of the service principal.
  • service-principal-secret | 服务主体密码。service-principal-secret | The service principal password.
  • tenant-id:表示 Azure AD 专用实例的唯一标识符 (GUID)。tenant-id : The unique identifier (GUID) that represents your dedicated instance of Azure AD.
  • subscription-id:计算机要属于的 Azure 订阅的订阅 ID (GUID)。subscription-id : The subscription ID (GUID) of your Azure subscription that you want the machines in.
  • resource-group:连接的计算机要属于的资源组的名称。resource-group : The resource group name where you want your connected machines to belong to.
  • location:请参阅支持的 Azure 区域location : See supported Azure regions. 此位置可以与资源组的位置相同或不同。This location can be the same or different, as the resource group's location.
  • resource-name:(可选)用于本地计算机的 Azure 资源表示。resource-name : (Optional) Used for the Azure resource representation of your on-premises machine. 如果未指定此值,将使用计算机主机名。If you do not specify this value, the machine hostname is used.

若要详细了解 azcmagent 命令行工具,请查看 Azcmagent 参考You can learn more about the azcmagent command-line tool by reviewing the Azcmagent Reference.

备注

仅支持从 64 位版本的 Windows PowerShell 中运行 Windows PowerShell 脚本。The Windows PowerShell script only supports running from a 64-bit version of Windows PowerShell.

安装代理并将其配置为连接到启用了 Azure Arc 的服务器后,请转到 Azure 门户,验证是否已成功连接服务器。After you install the agent and configure it to connect to Azure Arc enabled servers, go to the Azure portal to verify that the server has successfully connected. Azure 门户中查看计算机。View your machines in the Azure portal.

服务器连接成功

后续步骤Next steps