WTH is Azure Arc

One of the most significant announcements from the Microsoft Ignite conference this week was the preview of Azure Arc. Azure Arc is a brand new service, with a not very descriptive name, so well deserving of a WTH article!

What is Azure Arc

First off, Azure Arc is all about hybrid and multi-cloud, so if your resources are purely located in Azure, it may not interest you that much.

Azure Arc is an Azure product that lets you extend the Azure management plane into your on-premises locations, as well as into other clouds. At launch, it supports managing virtual machines (both Windows and Linux) and Kubernetes clusters. Using Arc, you can manage VM's and Kubernetes that are located in your on-premises data centres and other clouds, including AWS and Google Cloud. This service is similar to Googles Anthos service, but without the high price tag (Arc is currently free).

Using Azure Arc, you can manage these resource like they were in Azure. This includes:

  • Managing resources through the Azure portal
  • Apply Azure RBAC to these resources
  • Apply Azure Policy to these resources
  • Monitor these resources with Log Analytics and Security Centre
  • Audit with Azure Activity Logs
  • Query with Azure Resource Graph

Azure Arc also provides the platform for a second service, Hybrid Data Services. This service allows you to take the machines you have registered with Arc and run Azure Data Services on them. At present this supports running Azure SQL and PostgreSQL on your non-azure servers.

Arc

How does Azure Arc Work

Arc works by running an agent on your non-azure resources; this is a service on VM's and a Kubernetes pod on Kubernetes cluster. Once you install this service, the machine registers with Azure and is ready for management.

Support & Pre-requisites

To use Arc, you first need to be running a supported OS, for VMs this is:

  • Windows Server 2012 R2 and newer
  • Ubuntu 16.04 and 18.04

To allow the agent to communicate with Azure, the VMs will need outbound connectivity on port 443 (SSL) to Azure. The full list of addresses it needs to connect to can be found here .

VM Setup

We are going to onboard a VM running in AWS to be managed from Azure. The first thing we do is go to the Azure Arc page in the Azure Portal. VM management is in public preview, so this should be available to all.

We click the button to "create machine", and the next page asks how we want to onboard the machines. We have the option of either doing this manually using a script or using automation to bulk add lots of devices. As we are only doing a single machine, we will do this manually.

Add VM

When we press the "Generate script" button, we need to supply some details about where this VM should sit once imported, which subscription, resource group and region. We also need to select an OS.

Create Script

If the VM we want to onboard needs to access the internet through a proxy, we can supply these details; then we can provide any tags that need to be assigned to the VM.

On the last page, if you have not enabled the preview, you will be asked to register, this registers the Azure Arc Providers in your subscription. Make sure you do this and wait several minutes for it to onboard.

Register Preview

At the bottom of the page, you will see that Azure has generated a script specifically for your subscription, which you can run on the machine you want to onboard. Download or copy this script.

Script

Now we have this script; we can go ahead and run it on our VM. This script will go out and download the Azure Arc agent onto the machine, install it and then connect to Azure to register the VM. When you run the azcmagent connect command, you will be prompted to log in to Azure using the device login; this authenticates you to Azure to register. If you don't want to do this manually, you can look at the bulk addition option which uses a service principal.

The commands should complete and show as registered. If we go back to the Arc page in the Azure portal and go to "manage servers", we should now see our new machine connected and ready for use.

Managed Server

Managing Machines

Now that we have onboarded a machine and we can see it in the portal, if we click on this object, it will take us to the machine management page. Here we can follow the standard Azure processes to manage the VM. This includes applying RBAC, applying policy and viewing logs.

Manage Machine

Why would I want to use Azure Arc

Azure Arc is aimed at clients who have machines outside of Azure that they need to manage, and who have already invested in Azure as their primary cloud. If you have already set up RBAC and Policies in Azure, then being able to apply these to external machines could make your governance and security much more consistent and easier to manage.

Extending beyond VMs into Kubernetes also means that Azure Arc can help you manage policies across your Kubernetes estate, enforcing best practice.

The ability to include machines in Log Analytics, security centre and have activity logs also means you can get your logs and audit all in one place, in a consistent format.

By adding your external resources into Azure, you also gain the ability to manage them in Azure, both through the portal, but perhaps more importantly, through the REST API, PowerShell and CLI.

Finally, if you want to take advantage of being able to run other Azure resources such as Azure SQL, outside of Azure, then Arc will provide the platform for doing so.

What issues does Azure Arc have?

The most apparent issue with Arc currently is that it is in preview, and the Kubernetes and Data Services part is in private preview. If you want to use the private preview options, then you can sign up here. At the time of writing this, the preview of Arc isn't even a week old; it's likely that we haven't yet found all the issues and limitations of this service. If you want to start using this now, you should be very aware of its preview status.

The current preview also only supports VMs and Kubernetes, so if you are looking for management of other resources like web applications, serverless etc. then you will need to wait and hope that is added.

The Arc agent does require outbound connectivity to Azure over port 443. If this traffic is blocked from your servers, then you won't be able to manage the machines in Arc until this is open.