什麼是適用於伺服器的 Azure Arc (預覽)What is Azure Arc for servers (preview)

適用於伺服器的 Azure Arc (預覽) 可讓您在公司網路或其他雲端提供者上管理裝載於 Azure 外部的 Windows 和 Linux 機器,就如同您管理原生 Azure 虛擬機器一樣。Azure Arc for servers (preview) allows you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud provider, similarly to how you manage native Azure virtual machines. 混合式機器連線到 Azure 時就會變成已連線的機器,並且視為 Azure 中的資源。When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. 每個已連線的機器都有資源識別碼,可在訂用帳戶內作為資源群組的一部分來管理,並可從標準的 Azure 結構中 (例如 Azure 原則和套用標籤) 獲益。Each connected machine has a Resource ID, is managed as part of a resource group inside a subscription, and benefits from standard Azure constructs such as Azure Policy and applying tags.

若要對裝載於 Azure 外部的混合式機器提供這項體驗,您必須在計畫連線到 Azure 的每部機器上安裝 Azure Connected Machine 代理程式。To deliver this experience with your hybrid machines hosted outside of Azure, the Azure Connected Machine agent needs to be installed on each machine that you plan on connecting to Azure. 此代理程式不會提供任何其他功能,也不會取代 Azure Log Analytics 代理程式This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent. 您需要適用於 Windows 和 Linux 的 Log Analytics 代理程式來主動監視機器上執行的作業系統和工作負載、使用自動化 Runbook 或解決方案 (例如更新管理) 來管理機器,或使用其他 Azure 服務 (例如 Azure 資訊安全中心)。The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like Azure Security Center.

注意

此預覽版本主要用於評估,不建議用來管理重要的生產機器。This preview release is intended for evaluation purposes and we recommend you don't manage critical production machines.

支援的案例Supported scenarios

適用於伺服器的 Azure Arc (預覽) 支援對已連線的機器執行下列案例:Azure Arc for servers (preview) supports the following scenarios with connected machines:

  • 使用與 Azure 虛擬機器原則指派相同的體驗來指派 Azure 原則客體設定Assign Azure Policy guest configurations using the same experience as policy assignment for Azure virtual machines.
  • 如果記錄資料由 Log Analytics 代理程式所收集,並且儲存在機器註冊的 Log Analytics 工作區中,則現在會包含機器專屬的屬性 (例如資源識別碼),以用來支援資源內容記錄存取。Log data collected by the Log Analytics agent and stored in the Log Analytics workspace the machine is registered with now contains properties specific to the machine, such as Resource ID, which can be used to support resource-context log access.

支援區域Supported regions

使用適用於伺服器的 Azure Arc (預覽) 時,只有特定區域可受到支援:With Azure Arc for servers (preview), only certain regions are supported:

  • WestUS2WestUS2
  • WestEuropeWestEurope
  • WestAsiaWestAsia

在大部分情況下,您在建立安裝指令碼時所選取的位置,應該是地理位置最接近機器位置的 Azure 區域。In most cases, the location you select when you create the installation script should be the Azure region geographically closest to your machine's location. 待用資料會儲存在包含您所指定區域的 Azure 地理位置中,如果您有資料落地需求,這可能也會影響選擇的區域。Data at rest will be stored within the Azure geography containing the region you specify, which may also affect your choice of region if you have data residency requirements. 如果您的機器所連線的 Azure 區域受到中斷影響,連線的機器不會受到影響,但使用 Azure 的管理作業可能無法完成。If the Azure region your machine is connected to is affected by an outage, the connected machine is not affected, but management operations using Azure may be unable to complete. 在發生區域性中斷的情況下,如果您有多個位置可提供異地備援服務,最好將每個位置中的機器連線到不同的 Azure 區域。For resilience in the event of a regional outage, if you have multiple locations which provide a geographically-redundant service, it is best to connect the machines in each location to a different Azure region.

PrerequisitesPrerequisites

支援的作業系統Supported operating systems

Azure Connected Machine 代理程式可正式支援下列 Windows 和 Linux 作業系統版本:The following versions of the Windows and Linux operating system are officially supported for the Azure Connected Machine agent:

  • Windows Server 2012 R2 和更新版本 (包括 Windows Server Core)Windows Server 2012 R2 and higher (including Windows Server Core)
  • Ubuntu 16.04 和 18.04Ubuntu 16.04 and 18.04
  • CentOS Linux 7CentOS Linux 7
  • SUSE Linux Enterprise Server (SLES) 15SUSE Linux Enterprise Server (SLES) 15
  • Red Hat Enterprise Linux (RHEL) 7Red Hat Enterprise Linux (RHEL) 7
  • Amazon Linux 2Amazon Linux 2

注意

此適用於 Windows 的 Connected Machine 代理程式預覽版本僅支援設定為使用英文語言的 Windows Server。This preview release of the Connected Machine agent for Windows only supports Windows Server configured to use the English language.

所需的權限Required permissions

  • 若要使電腦上線,您必須是 Azure Connected Machine 上線角色的成員。To onboard machines, you are a member of the Azure Connected Machine Onboarding role.

  • 若要讀取、修改、重新上線和刪除機器,您必須是 Azure Connected Machine 資源管理員角色的成員。To read, modify, re-onboard, and delete a machine, you are a member of the Azure Connected Machine Resource Administrator role.

Azure 訂用帳戶與服務限制Azure subscription and service limits

使用適用於伺服器的 Azure Arc (預覽) 設定您的電腦之前,您應先檢查 Azure Resource Manager 的訂用帳戶限制資源群組限制,以規劃要連線的機器數目。Before configuring your machines with Azure Arc for servers (preview), you should review the Azure Resource Manager subscription limits and resource group limits to plan for the number of machines to be connected.

TLS 1.2 通訊協定TLS 1.2 protocol

為了確保資料傳送至 Azure 時的安全性,我們強烈建議您將機器設定為使用傳輸層安全性 (TLS) 1.2。To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. 我們已發現較舊版本的 TLS/安全通訊端層 (SSL) 較易受到攻擊,而且在其目前的運作中仍允許回溯相容性,因此並不建議使用這些版本。Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.

平台/語言Platform/Language 支援Support 相關資訊More Information
LinuxLinux Linux 發行版本通常會依賴 OpenSSL 來取得 TLS 1.2 支援。Linux distributions tend to rely on OpenSSL for TLS 1.2 support. 請檢查 OpenSSL 變更記錄來確認支援的 OpenSSL 版本。Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows Server 2012 R2 及更高版本Windows Server 2012 R2 and higher 支援,而且已預設為啟用。Supported, and enabled by default. 請確認您仍在使用預設設定To confirm that you are still using the default settings.

網路設定Networking Configuration

適用於 Linux 和 Windows 的 Connected Machine 代理程式會透過 TCP 連接埠 443,安全地將訊息輸出到 Azure Arc。The Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. 如果機器連線至防火牆或 Proxy 伺服器以透過網際網路通訊,請檢閱下面的需求,以了解網路設定需求。If the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration requirements.

如果您的防火牆或 Proxy 伺服器已限制輸出連線,請確定下面所列 URL 並未遭到封鎖。If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. 如果您只允許代理程式用來與服務通訊所需的 IP 範圍或網域名稱,您也必須允許存取下列服務標籤和 URL。If you only allow the IP ranges or domain names required for the agent to communicate with the service, you must also allow access to the following Service Tags and URLs.

服務標籤:Service Tags:

  • AzureActiveDirectoryAzureActiveDirectory
  • AzureTrafficManagerAzureTrafficManager

URL:URLs:

代理程式資源Agent resource 描述Description
management.azure.commanagement.azure.com Azure Resource ManagerAzure Resource Manager
login.windows.netlogin.windows.net Azure Active DirectoryAzure Active Directory
dc.services.visualstudio.comdc.services.visualstudio.com Application InsightsApplication Insights
agentserviceapi.azure-automation.netagentserviceapi.azure-automation.net 來賓組態Guest Configuration
*-agentservice-prod-1.azure-automation.net*-agentservice-prod-1.azure-automation.net 來賓組態Guest Configuration
*.his.hybridcompute.azure-automation.net*.his.hybridcompute.azure-automation.net 混合式識別服務Hybrid Identity Service

如需每個服務標籤/區域的 IP 位址清單,請參閱 JSON 檔案 - Azure IP 範圍和服務標籤 – 公用雲端For a list of IP addresses for each service tag/region, see the JSON file - Azure IP Ranges and Service Tags – Public Cloud. Microsoft 會發佈每週更新,其中包含每個 Azure 服務和其使用的 IP 範圍。Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. 如需詳細資訊,請參閱服務標籤For more information, review Service tags.

除了服務標籤 IP 位址範圍資訊之外,上述表格中的 URL 也是必要的,因為大部分的服務目前都沒有服務標籤註冊。The URLs in the previous table are required in addition to the Service Tag IP address range information because the majority of services do not currently have a Service Tag registration. 因此,IP 位址可能會變更。As such, the IP addresses are subject to change. 如果您的防火牆設定需要 IP 位址範圍,則應該使用 AzureCloud 服務標籤來允許存取所有 Azure 服務。If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. 請勿停用這些 URL 的安全性監視或檢查,但允許這些 URL,如同其他網際網路流量。Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.

註冊 Azure 資源提供者Register Azure resource providers

適用於伺服器的 Azure Arc (預覽) 需依賴您訂用帳戶中的下列 Azure 資源提供者來使用此服務:Azure Arc for servers (preview) depends on the following Azure resource providers in your subscription in order to use this service:

  • Microsoft.HybridComputeMicrosoft.HybridCompute
  • Microsoft.GuestConfigurationMicrosoft.GuestConfiguration

如果未登錄這些資源,您可以使用下列命令來登錄:If they are not registered, you can register them using the following commands:

Azure PowerShell:Azure PowerShell:

Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

Azure CLI:Azure CLI:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

您也可以遵循 Azure 入口網站底下的步驟,使用 Azure 入口網站來註冊資源提供者。You can also register the resource providers in the Azure portal by following the steps under Azure portal.

Connected Machine 代理程式Connected Machine agent

您可以從下列位置下載適用於 Windows 和 Linux 的 Azure Connected Machine 代理程式套件。You can download the Azure Connected Machine agent package for Windows and Linux from the locations listed below.

注意

在此預覽期間,只發行了一個套件,其適用於 Ubuntu 16.04 或 18.04。During this preview, only one package has been released, which is suitable for Ubuntu 16.04 or 18.04.

您可以根據需求,以手動或自動方式將適用於 Windows 和 Linux 的 Azure Connected Machine 代理程式升級為最新版本。The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. 如需詳細資訊,請參閱這裡For more information, see here.

代理程式狀態Agent status

Connected Machine 代理程式每隔 5 分鐘會定期將活動訊號訊息傳送至服務。The Connected Machine agent sends a regular heartbeat message to the service every 5 minutes. 如果服務停止接收來自機器的這些活動訊號訊息,系統會將該機器視為離線,且入口網站中的狀態會在 15 到 30 分鐘內自動變更為中斷連線If the service stops receiving these heartbeat messages from a machine, that machine is considered offline and the status will automatically be changed to Disconnected in the portal within 15 to 30 minutes. 從 Connected Machine 代理程式收到後續的活動訊號訊息時,其狀態會自動變更為連線Upon receiving a subsequent heartbeat message from the Connected Machine agent, its status will automatically be changed to Connected.

安裝及設定代理程式Install and configure agent

您可以視需求使用不同的方法,將您混合式環境中的機器直接與 Azure 連線。Connecting machines in your hybrid environment directly with Azure can be accomplished using different methods depending on your requirements. 下表說明每個方法,您可以判斷哪個方法最適合您的組織。The following table highlights each method to determine which works best for your organization.

方法Method 描述Description
以互動方式Interactively 若要在一部或少數機器上手動安裝代理程式,請遵循從 Azure 入口網站連線機器中的步驟。Manually install the agent on a single or small number of machines following the steps in Connect machines from Azure portal.
您可以在 Azure 入口網站中產生指令碼並在機器上執行該指令碼,以自動化代理程式的安裝和設定步驟。From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.
大規模At scale 若要為多部機器安裝及設定代理程式,請遵循使用服務主體連線機器Install and configure the agent for multiple machines following the Connect machines using a Service Principal.
此方法會建立服務主體,以透過非互動的方式與機器連線。This method creates a service principal to connect machines non-interactively.
大規模At scale 依照使用 Windows PowerShell DSC 中的方法,為多部機器安裝及設定代理程式。Install and configure the agent for multiple machines following the method Using Windows PowerShell DSC.
此方法會透過 PowerShell DSC,以非互動方式使用服務主體來與機器連線。This method uses a service principal to connect machines non-interactively with PowerShell DSC.

後續步驟Next steps