您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

管理 azure 策略并将 Azure 监视代理扩展部署到 Azure Arc Linux 和 Windows serverManage Azure policies and deploy the Azure monitoring agent extension to Azure Arc Linux and Windows servers

本文提供有关如何使用启用了 Azure Arc 的服务器将 Azure 策略分配给 Azure 外部 Vm 的指导,无论它们是在本地还是在其他云。This article provides guidance on how to use Azure Arc enabled servers to assign Azure policies to VMs outside of Azure, whether they are on-premises or on other clouds. 利用此功能,你现在可以使用 Azure 策略审核启用了 Azure Arc 的服务器的操作系统中的设置,如果某个设置不符合,你还可以触发补救任务。With this feature you can now use Azure Policy to audit settings in the operating system of an Azure Arc enabled server, if a setting is not compliant you can also trigger a remediation task.

在这种情况下,如果 Azure Arc 连接的计算机上安装了 (Microsoft Monitoring Agent) MMA 代理,则会分配审核策略。In this case, you will assign a policy to audit if the Azure Arc connected machine has the (Microsoft Monitoring Agent) MMA agent installed. 如果没有,请使用扩展功能将其自动部署到 VM,这是对 Azure Vm 级别的注册体验。If not, use the extensions feature to automatically deploy it to the VM, an enrollment experience that levels to Azure VMs. 此方法可用于确保所有服务器都已集成到 Azure Monitor、Azure 安全中心、Azure Sentinel 等服务。This approach can be used to make sure all your servers are onboard to services such as Azure Monitor, Azure Security Center, Azure Sentinel, and so on.

可以使用 Azure 门户、Azure 资源管理器模板 (ARM 模板) 或 PowerShell 脚本将策略分配给 Azure 订阅或资源组。You can use the Azure portal, an Azure Resource Manager template (ARM template) or PowerShell script to assign policies to Azure subscriptions or resource groups. 以下过程使用 ARM 模板分配内置策略。The following procedures use an ARM template to assign built-in policies.

重要

本文中的过程假定你已部署了 Vm 或运行本地或其他云的服务器,并且你已将其连接到 Azure Arc。如果你尚未这样做,以下信息可以帮助你自动执行此过程。The procedures in this article assumes you've already deployed VMs, or servers that are running on-premises or on other clouds, and you have connected them to Azure Arc. If you haven't, the following information can help you automate this.

请查看 Azure Monitor 支持的操作系统文档 ,并确保支持用于这些过程的 vm。Please review the Azure Monitor supported OS documentation and ensure that the VMs you use for these procedures are supported. 对于 Linux Vm,请检查 Linux 分发版和内核,以确保使用的是受支持的配置。For Linux VMs, check both the Linux distribution and kernel to ensure you are using a supported configuration.

先决条件Prerequisites

  1. 克隆 Azure Arc Jumpstart 存储库。Clone the Azure Arc Jumpstart repository.

    git clone https://github.com/microsoft/azure_arc
    
  2. 如上所述,本指南从已将 Vm 或服务器部署和连接到 Azure Arc 的点开始。在下面的屏幕截图中,Google Cloud Platform (GCP) 服务器已与 Azure Arc 连接,并且在 Azure 中显示为资源。As mentioned, this guide starts at the point where you already deployed and connected VMs or servers to Azure Arc. In the following screenshots a Google Cloud Platform (GCP) server has been connected with Azure Arc and is visible as a resource in Azure.

    启用了 Azure Arc 的服务器的资源组的屏幕截图。

    启用了 Azure Arc 的服务器的已连接状态的屏幕截图。

  3. 安装或更新 Azure CLIInstall or update Azure CLI. Azure CLI 应运行版本2.7 或更高版本。Azure CLI should be running version 2.7 or later. 使用 az --version 检查当前安装的版本。Use az --version to check your current installed version.

  4. 创建 Azure 服务主体。Create an Azure service principal.

    若要将 VM 或裸机服务器连接到 Azure Arc,需要具有 "参与者" 角色分配的 Azure 服务主体。To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the Contributor role is required. 若要创建它,请登录到 Azure 帐户,并运行以下命令。To create it, sign in to your Azure account and run the following command. 你还可以在 Azure Cloud Shell中运行此命令。You can also run this command in Azure Cloud Shell.

    az login
    az ad sp create-for-rbac -n "<Unique SP Name>" --role contributor
    

    例如:For example:

    az ad sp create-for-rbac -n "http://AzureArcServers" --role contributor
    

    输出应如下所示:The output should look like this:

    {
    "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "displayName": "AzureArcServers",
    "name": "http://AzureArcServers",
    "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

    备注

    我们强烈建议你将服务主体的范围限定为特定的 Azure 订阅和资源组We highly recommend that you scope the service principal to a specific Azure subscription and resource group.

还需要部署 Log Analytics 的工作区。You'll also need to have a Log Analytics workspace deployed. 可以通过编辑 ARM 模板 参数文件 并提供工作区的名称和位置来自动完成部署。You can automate the deployment by editing the ARM template parameters file and providing a name and location for your workspace.

ARM 模板参数文件的屏幕截图。

若要部署 ARM 模板,请导航到 部署文件夹 并运行以下命令:To deploy the ARM template, navigate to the deployment folder and run the following command:

az deployment group create --resource-group <Name of the Azure resource group> \
--template-file <The `log_analytics-template.json` template file location> \
--parameters <The `log_analytics-template.parameters.json` template file location>

将策略分配到 Azure Arc 连接的计算机Assign policies to Azure Arc connected machines

设置所有先决条件后,可以将策略分配给 Azure Arc 连接的计算机。After all the prerequisites are set, you can assign policies to the Azure Arc connected machines. 编辑 参数文件 以提供订阅 ID 以及 Log Analytics 工作区。Edit the parameters file to provide your subscription ID as well as the Log Analytics workspace.

其他 ARM 模板参数文件的屏幕截图。

  1. 若要开始部署,请使用以下命令:To start the deployment, use the following command:

    az policy assignment create --name 'Enable Azure Monitor for VMs' \
    --scope '/subscriptions/<Your subscription ID>/resourceGroups/<Name of the Azure resource group>' \
    --policy-set-definition '55f3eceb-5573-4f18-9695-226972c6d74a' \
    -p <The *policy.json* template file location> \
    --assign-identity --location <Azure Region>
    

    policy-set-definition标志指向计划 Enable Azure Monitor 定义 ID。The policy-set-definition flag points to the initiative Enable Azure Monitor definition ID.

  2. 分配计划后,分配将花费大约30分钟时间应用于定义的作用域。After the initiative is assigned, it takes about 30 minutes for the assignment to be applied to the defined scope. 然后,azure 策略将针对 Azure Arc 连接的计算机启动评估周期,并将其识别为不相容,因为它仍未部署 Log Analytics 代理配置。Azure Policy then starts the evaluation cycle against the Azure Arc connected machine and recognizes it as noncompliant because it still doesn't have the Log Analytics agent configuration deployed. 若要进行检查,请在 "策略" 部分中,中转到 Azure Arc 连接的计算机。To check this, go to the Azure Arc connected machine under the policies section.

    不符合要求的 Azure 策略状态的屏幕截图。

  3. 现在,将修正任务分配到不符合的资源,使其进入符合状态。Now, assign a remediation task to the noncompliant resource to put into a compliant state.

    创建 Azure 策略修正任务的屏幕截图。

  4. 在 "要修正的策略" 下,选择 " [ 预览" 将 Log Analytics 代理部署到 Linux Azure Arc 计算机,然后选择 "修正"。Under Policy to remediate, choose [Preview] Deploy Log Analytics Agent to Linux Azure Arc machines and select Remediate. 此修正任务指示 Azure 策略运行 DeployIfNotExists 效果,并使用 Azure Arc 扩展管理功能在 VM 上部署 Log Analytics 代理。This remediation task is instructing Azure Policy to run the DeployIfNotExists effect and use the Azure Arc extension management capabilities to deploy the Log Analytics agent on the VM.

    补救任务内 Azure 策略更正操作的屏幕截图。

  5. 分配修正任务后,将再次评估策略。After you have assigned remediation task, the policy will be evaluated again. 它应显示 GCP 上的服务器符合要求并且 Microsoft Monitoring Agent 扩展安装在 Azure Arc 计算机上。It should show that the server on GCP is compliant and that the Microsoft Monitoring Agent extension is installed on the Azure Arc machine.

    修正任务配置的屏幕截图。

    兼容的 Azure 策略状态的屏幕截图。

清理环境Clean up your environment

完成以下步骤来清理环境。Complete the following steps to clean up your environment.

  1. 按照每个指南中的拆卸说明,从每个环境中删除虚拟机。Remove the virtual machines from each environment by following the teardown instructions from each guide.

  2. 执行 Azure CLI 中的以下脚本,删除 Azure 策略分配。Remove the Azure Policy assignment by executing the following script in Azure CLI.

    az policy assignment delete --name 'Enable Azure Monitor for VMs' --resource-group <resource-group>
    
  3. 通过执行 Azure CLI 中的以下脚本删除 Log Analytics 工作区。Remove the Log Analytics workspace by executing the following script in Azure CLI. 提供创建 Log Analytics 工作区时使用的工作区名称。Provide the workspace name you used when creating the Log Analytics workspace.

    az monitor log-analytics workspace delete --resource-group <Name of the Azure resource group> --workspace-name <Log Analytics workspace Name> --yes