Azure Arc offers various options for deploying the agent on your servers, whether they are virtual machines or physical servers. Before starting any Azure Arc project, it is crucial to discuss with the customer how to onboard the agent and set up the necessary processes. This task can be divided into two phases:
- Initial agent deployment
- New server provisioning process
This post shows how to install the agent through the Azure Automation Update Management feature.
Currently, there are several ways to deploy the agent:
- a service principle for large-scale deployments
- Azure Update Management for existing customers
- Az.ConnectedMachine PowerShell module for custom installations
- Desired State Configuration
- Script feature in Configuration Manager
- Group Policy
- Windows Admin Center
- Custom Task Sequence in Configuration for large-scale deployments
As you see from this list, you have plenty of agent deployment methods. Pick and choose the one that suits you the best.
Unleash the Power of Azure Arc for Servers
What is Azure Automation Update Management?
Azure Update Management is a cloud-based service that manages and deploys updates for Windows and Linux computers. It helps reduce the time and effort needed to keep systems up-to-date with the latest security patches, hotfixes, service packs, and more. With Update Management, IT administrators can easily discover which servers need to be updated, create deployment plans for rolling out those updates orderly, review reports on patch compliance across their environment, and receive notifications when new updates become available. This provides a comprehensive solution for quickly and reliably keeping your systems secure while minimizing disruption to operations.
Update Management also integrates with Azure Log Analytics, storing all data in the same Workspace. This makes it easier for us to create Workbooks, Alerts, Automation etc.
There are many customers who are using Azure Update Management today, and based on my experience, it is the easiest way to roll out the Azure Arc-Enabled Servers agent.
From the above screenshot, you can see that we have one server connected with Azure Update Management.
If you are already an experienced administrator around Azure Update Management, you have noticed that Microsoft uses the Patch-MicrosoftOMSComputers runbook for patching.
Microsoft fully manages this runbook, and you don’t have any access to that. It is also a special and hidden runbook because it can run directly on your servers under the system runbook hybrid worker. If you create a custom PowerShell runbook for yourself, then you cant do the same. You can only run the runbooks using the Azure Automation Runbook Hybrid Workers that you have deployed and belong to the Runbook Worker groups.
Now with Azure Arc, Microsoft introduces another new master runbook called Add-AzureConnectedMachines. Microsoft fully manages this runbook and can also run on your servers directly.
To deploy Azure Arc agent through Azure Update Management, you need the following:
- Azure Log Analytics Workspace
- Microsoft Monitoring Agent should be installed and configured on your servers
- Azure Automation Account
- Azure Update Management solution activated
- Automation Job Operator role permissions
- Permissions to create Service Principals
- Permissions to manage Resource Group / Subscription permissions
- Azure resource providers for Azure Arc enabled-servers
Before you continue, make sure to take some time and think through how many resource groups you want to create for Azure Arc servers. You can onboard all the servers into a single resource group or split them into multiple ones based on the administration model, location, services, etc. It is also fully supported in moving Azure Arc resources to other resource groups.
Before you are going to onboard the servers on Azure Arc make sure to enable the following Azure resource providers on your subscription.
- Microsoft.AzureArcData (if you plan to Arc-enable SQL Servers)
Azure Arc agent deployment through Update Management
Rolling out the Azure Arc Connected Machine Agent using the Update Management goes through the following process:
- Automatically creates Entra ID Service Principal. It uses this for authentication and onboarding. The main Azure Arc configuration panel shows all the service principals.
Using other agent deployment methods, you can create Service Principals through the UI, PowerShell, or Azure CLI. But in this case, everything will be taken care of for you.
- Installs the Connected Machine Agent
- Onboards the server to Azure Arc service
You can install the Azure Arc-enabled server agent on one or multiple virtual machines or physical servers that use Windows or Linux operating systems. These machines may be on-premises or in another cloud environment but must be managed through Azure Automation Update Management.
Follow the steps to deploy the agent through Update Management for the hybrid machines. These steps should not trigger any reboots. If you have many servers, you can phase them into multiple smaller groups.
- Open Azure Portal (portal.azure.com ) and search for Azure Arc
- On the Azure Arc panel, choose Add your infrastructure for free
- Select Servers
- On the Add servers with Azure Arc panel, select Add servers from Update Management
- On the Add servers from Update Management page, specify the following information:
b. Resource Group
e. Connectivity Method
- Public endpoint
- Proxy Server
- Private Endpoint
- On the Servers page, click +Add Servers and choose the servers you want to add
- On the Authentication page, choose Create a new service principal. If you select use the existing one, then you need to specify the Service Principal and enter the Client Secret.
- Specify the Tags
- Review the deployment information and click Add
These steps kick off the Add-AzureConnectedMachines runbook. If it is Windows server-based operating system, you see that it executes the child runbook called Add-AzureConnectedMachineWindows. If you also selected Linux servers, you see the Add-AzureConnectedMachineLinux runbook. Both of these runbooks will be executed under the system Hybrid Runbook Worker.
There are two different types of Runbook Workers:
- User – Custom runbooks that you can execute through the Azure Automation Hybrid Runbook Workers. You can create your own Runbook Worker groups for different datacenters etc. For each Runbook Worker Group, you need at least one virtual machine. You can deploy this through the Azure Arc Extensions.
- System – Fully managed and hidden runbooks by Microsoft. These can be executed directly on the servers.