What are the core management and governance capabilities of Azure Arc-enabled servers?
- 8 minutes
Azure Arc allows you to extend the scope of several Azure services so you can use them with non-Azure Windows and Linux servers. This helps companies like Contoso to standardize their management strategy when operating in hybrid scenarios. In this unit, you'll learn about some of the key capabilities of Azure Arc-enabled servers.
What are the core resource management capabilities of Azure Arc-enabled servers?
Connecting your non-Azure Windows and Linux servers to Azure through Azure Arc provides you with a range of resource management capabilities. These capabilities include:
The ability to organize all organizational resources by using Azure management groups, subscriptions, resource groups, and tags.
A single, comprehensive inventory of assets across multiclouds and on-premises, including support for searching and indexing by using Azure Resource Graph.
A consolidated view of both Azure and Azure Arc-enabled resources via the Azure portal, Azure Command Line Interface (CLI), Azure PowerShell, or REST API.
Direct access from the Azure portal to many of the management features of Azure Arc-enabled servers:
- Azure Policy guest configuration to audit operating system and software configuration.
- A Microsoft Entra system-assigned managed identity for apps running on the server to use when authenticating to other Azure services.
- VM extensions to deploy software agents and run scripts on your servers.
- Role-based access control (RBAC) to control which users in your organization can access and manage servers.
For example, you can view a server's Access control (IAM) settings in the Azure portal. In this pane, you can view and manage who has access to the server and what permissions they have.
What are VM extensions and how are they used with Azure Arc-enabled servers?
VM extensions are lightweight software components that enable added functionality. Azure Arc-enabled servers supports many types of extensions. The following table describes a few of the extensions that you can add to Azure Arc-enabled servers running Windows Server or Linux operating system:
| Extension | Description |
|---|---|
| Azure Monitor agent | Configures the server to forward logs to a Log Analytics workspace, and enables various Azure scenarios |
| Azure Key Vault | Synchronizes certificates from an Azure Key Vault instance to the Arc-enabled server. |
| Custom Script Extension | Downloads and runs scripts on the target Arc-enabled server. |
| Azure Automation Hybrid Runbook Worker extension | Enables Azure Automation runbooks to run on the Arc-enabled server. |
What is Azure Policy and how is it used for Azure Arc-enabled server governance?
Azure Policy is a service that can help organizations manage and evaluate internal and regulatory compliance of their Arc-enabled servers, in addition to other Azure resources. Azure Policy uses declarative rules based on properties of target resource types, including Windows and Linux operating systems.
For example, Contoso could use Azure Policy to implement the following rules:
- Assign a specific tag to resources representing Arc-enabled servers during their registration.
- Identify Arc-enabled servers running Windows with Windows Defender Exploit Guard disabled.
- Identify Arc-enabled servers running Windows that aren't joined to a specific Active Directory Domain Services (AD DS) domain.
- Identify Arc-enabled servers running Windows or Linux without Azure Monitor Agent installed.
- Identify Arc-enabled servers running Linux that aren't using SSH keys for authentication.
Note
Policies that support remediation don't evaluate the policy logic inside the operating system of the Azure Arc-enabled server, but instead rely on Azure resource metadata. Examples of such policies include enforcing tag compliance or deploying VM extensions.
Contoso can create policy definitions that include the rules it wants to implement. Then, administrators can assign these definitions to Azure resource groups, subscriptions, or management groups. The policies apply to all resources within the assigned scope, including Azure Arc-enabled servers.
Contoso can manage and assign Azure policies via a number of methods, including directly from the Azure portal.
After a policy assignment is created, you can review compliance details for the target Azure Arc-enabled servers.
Additionally, Azure Policy's machine configuration feature lets you audit or configure operating system settings as code for machines, including Arc-enabled servers. Configurations can include settings for operating systems, applications, and environment. They can be applied dynamically or to individual servers.
What are the benefits of Azure Update Manager in hybrid scenarios?
Azure Update Manager is a unified service to help manage and govern updates for all your hybrid machines, including hybrid machines. You can monitor Windows and Linux update compliance across your hybrid machines from a single pane of management. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.
Azure Update Manager allows you to:
- Instantly check for updates or deploy security or critical updates to help secure your hybrid machines.
- Enable periodic assessment to check for the latest updates available for your hybrid machines.
- Use flexible patching options like customer-defined maintenance schedules and hotpatching.
- Build custom reporting dashboards for reporting update status and configure alerts for certain conditions.
- Oversee update compliance for all your hybrid machines.
Choose the best response for each of the following questions.