HPE Community
Alliances
1819682 Members
3934 Online
109605 Solutions
New Article
 
Subscribe to RSS Feed
|
Patrick_Lownds

Getting started with Azure Arc for Servers

‎01-29-2021 05:07 AM

Before I dive into documenting my experiences with getting started with Azure Arc for Servers, I wanted to take the opportunity to summarise a couple of points to help position and provide some context to Azure Arc.

Why Azure Arc? Customers are increasingly requiring an answer to managing and governing their progressively complex environments. Often enterprise customers have a variety of application architectures and patterns. Alongside this, these same customers have a diverse infrastructure that spans differing locations e.g. from the data centre to branch offices and the edge. Those same enterprise customers are frequently integrating public cloud properties like Azure, AWS and Google into their environments. This all presents a complex problem when it comes to areas like governance, management, compliance and security.

Azure Arc.jpg

We all know through working with public Azure that Azure Resource Manager (ARM) is the control plane for Azure resources and Azure provides a diverse set of interfaces e.g. the Azure Portal, Cloud Shell, PowerShell, CLI, APIs and SDKs that all leverage ARM.

ARM provides a management control layer that enables us to create, update, and delete resources in Azure and we can use common management features in Azure, like access controls, resource locks, tags and resource groups to secure and organise resources that we deploy.

Prior to Azure Arc, if you wanted to use a cloud-based service like Update Management in Azure Automation to manage operating system updates for your Windows and Linux instances, you would typically install the Update Management agent and connect this endpoint directly to the Azure Automation Update Service layer within the Management Services layer in public Azure.

Azure Arc allows the Azure control plane to extend into resources outside of public Azure or to state this a slightly different way, Azure Arc for Servers projects the Azure control plane and services to any infrastructure.

AzureArc2.jpg

When it comes to deploying Azure Arc for Servers and the on-boarding process, there are two well-defined methods.

  • Interactively
  • At scale

Interactively is the best option when you have a low number of machines to on-board and this method requires device authentication using https://microsoft.com/devicelogin and this is similar in nature to two-factor authentication (2FA).

AzureArc4Servers13.jpg

 

The recommended approach is to use the Azure portal to generate the required PowerShell script (for Windows machines) or a bash script (for Linux machines). However, before you can carry out that step and on-board you’re first machine, there are a few prerequisites you need to meet:

  1. You require an Azure subscription and here you can use a free account if you are simply experimenting.
  2. You have a newly created or existing Resource Group where the on-premises server object will be created and managed from within Azure.
  3. You need to have administrator permissions on the machines where you are going to install and configure the Azure Arc for Servers agent.
  4. Your target machine needs to be one of the supported operating systems:
    •     Windows Server 2012 R2 and higher (including Windows Server Core)
    •     Ubuntu 16.04 and 18.04 LTS (x64)
    •     CentOS Linux 7 (x64)
    •     SUSE Linux Enterprise Server (SLES) 15 (x64)
    •     Red Hat Enterprise Linux (RHEL) 7 (x64)
    •     Amazon Linux 2 (x64)
  5. You have the required RBAC permissions in public Azure:
    • Azure Connected Machine Onboarding role
    • Azure Connected Machine Resource Administrator role
  6. If the machine you are going to deploy the agent to connects through a firewall or proxy server to get to the Internet, you need to make sure the following URLs are not blocked:
    • management.azure.com – this is Azure Resource Manager
    • login.windows.net – this is Azure Active Directory
    • login.microsoftonline.com – this is Azure Active Directory
    • dc.services.visualstudio.com – this is Azure Application Insights
    • *.guestconfiguration.azure.com – this is the Guest Configuration Service
    • *.his.arc.azure.com – this is the Hybrid Identity Service
    • www.office.com – Office 365 Service
  7. That you are OK with the list of supported Azure Regions where Azure Arc for Servers is supported (when I last carried out my deployment that was the following Azure Regions):
    • Southeast Asia
    • Australia East
    • North Europe
    • West Europe
    • UK South
    • East US
    • East US 2
    • North Central US
    • South Central US
    • West Central US
    • West US 2
  8. You have registered the required Azure Resource Providers:
    • Microsoft.HybridCompute
    • Microsoft.GuestConfiguration

Having to register the required Azure Resource Providers (RPs) isn’t an everyday occurrence and so it is possible that this isn’t something you have done previously. However, before you can use a Resource Provider (RP), your Azure subscription must be registered for the RP in question. The registration process configures your subscription to work with that RP, some RPs are registered by default. Other RPs are registered automatically when you carry out certain actions or tasks e.g. when creating a resource through the Azure portal. In some scenarios, like Azure Arc for Servers, you are required to manually register the required RPs.

You can use Azure Cloud Shell and the following CLI commands to manually register the required RPs:

  1. az account list
  2. az account set --subscription "{Your Subscription Name}"
  3. az provider register --namespace 'Microsoft.HybridCompute'
  4. az provider register --namespace 'Microsoft.GuestConfiguration'

AzureArc4Servers02a.jpg

You can monitor the on-going registration progress by using the following command that is used to pull information from the resource providers API:

  1. az provider show –n 'Microsoft.GuestConfiguration'

To then see the newly registered resource providers and the registration status for your subscription:

  1. Sign in to the Azure portal.
  2. On the Azure portal menu (left menu) either select Subscriptions or search for Subscriptions and then select your subscription.
  3. On the left menu, under Settings select Resource Providers.
  4. Find the resource provider e.g. Microsoft.HybridCompute (filtering by name) and note the status of this provider.

When ready, you can generate the interactive installation script to deploy the Azure Arc Agent directly from the Azure portal:

  1. Sign in to the Azure portal.
  2. In the Azure portal click All services and then in the Filter box enter Servers - Azure Arc.
  3. On the Servers - Azure Arc page, select Add.
  4. On the Add servers with Azure Arc page, under Add servers using interactive script select Generate script.

Below is the example PowerShell script that you run interactively when on-boarding a Windows machine:

# Download the package

function download() {$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile AzureConnectedMachineAgent.msi}

download

# Install the package

msiexec /i AzureConnectedMachineAgent.msi /l*v installationlog.txt /qn | Out-String

# Run connect command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect --resource-group "ArcServers" --tenant-id "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" --location "northeurope" --subscription-id " FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" --cloud "AzureCloud" --tags "Datacenter=GardenDC,City=London,StateOrDistrict=London,CountryOrRegion=UK,ServerType=HPE"

if($LastExitCode -eq 0){Write-Host -ForegroundColor yellow "To view your onboarded server(s), navigate to https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines"}

There are also optional parameters that allow you to specify specific items such as resource name, which by default is the machines hostname.

The Azure Arc Agent for Linux is provided in the preferred package format for the distribution and is hosted in the Microsoft package repository. The agent is installed and configured with the shell script bundle Install_linux_azcmagent.sh.

Below is the example script that you run interactively when on-boarding a Linux machine:

# Download the installation package

wget https://aka.ms/azcmagent -O ~/install_linux_azcmagent.sh

# Install the hybrid agent

bash ~/install_linux_azcmagent.sh

# Run connect command

azcmagent connect --resource-group "ArcServers" --tenant-id " FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" --location "westeurope" --subscription-id " FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" --cloud "AzureCloud"

if [ $? = 0 ]; then echo "\033[33mTo view your onboarded server(s), navigate to https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2Fmachines\033[m"; fi

The second on-boarding method is at scale. You typically use this method when you have a large number of machines to on-board or you wanted a non-interactive experience. This approach requires the creation of a Service Principal. The PowerShell commands are fairly similar and when on-boarding at scale you specify the Service Principal ID and Secret.

Next, login to the Windows server and open an elevated PowerShell command prompt using the 64-bit version of PowerShell. Change to the directory where you have copied the script to, and execute the script on the server you’re attempting to on-board.

If the Azure Arc Agent fails to start after installation is complete, check the logs for detailed error information. The log directory for Windows is %ProgramData\AzureConnectedMachineAgent\Log and for Linux it is /var/opt/azcmagent/log

Here you will find the following log files that are relevant to deployment:

  • Himds.log contains the activity of this service and its interaction with Azure (HIMDS – Hybrid Instance Metadata Service).
  • Azcmagent.log contains the output of azcmagent tool command when verbose logging is enabled.

When troubleshooting your deployment, the minimum information you need is the on-boarding verbose logs, that you can get by adding the —verbose to the on-boarding command line and then collect the himds.log and the azcmagent.log files.

After you have installed the agent and configure it to connect to Azure, you can go to the Azure portal to verify that the server object has successfully connected.

demo.jpg

Azure Arc offers a simplified management approach that is consistent with public Azure cloud services. Azure Arc provides visibility of your most important assets, along with support for centralised operations and compliance, across a variety of locations, by extending the Azure control layer to on-premises and other public cloud properties.

For more information on the many ways we can help you, https://www.hpe.com/uk/en/services/pointnext.html 

Patrick Lownds
Hewlett Packard Enterprise

twitter.com/HPE_TechSvcs
linkedin.com/showcase/hpe-technology-services/
hpe.com/pointnext

 

 

Labels:
About the Author

Patrick_Lownds

Top Kudoed Authors Last 30 Days
Author
Kudos
HPE_Alliances Avatar
HPE_Alliances
1
View all
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.