Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines, using standard Azure constructs such as Azure Policy and applying tags.
When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group.
To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent does not replace the Azure Log Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:
Proactively monitor the OS and workloads running on the machine
Manage it using Automation runbooks or solutions like Update Management
Use other Azure services like Microsoft Defender for Cloud
You can install the Connected Machine agent manually, or on multiple machines at scale, using the deployment method that works best for your scenario.
Azure Arc Benefits
One of the biggest upsides to using Azure Arc is that all resources associated/registered with Azure Arc send data to the main, cloud-based Azure Manager. This consolidates the information in a succinct and useful manner. Enterprises can guarantee compliance of resources registered with Azure Arc no matter where they are deployed. This leads to quick problem-solving and less time lost.
Azure Arc can also be used to take care of the smallest to most complex maintenance operations across all forms of the cloud. For example, it can help to manage security and governance and on the other hand, it can also manage updating the operating systems for your servers, a tedious task.
Customers also benefit from all the aforementioned key features of Azure. They can manage resources within or outside of Azure through one consolidated control plane.
Supported cloud operations
When you connect your machine to Azure Arc-enabled servers, you can perform many operational functions, just as you would with native Azure virtual machines. Below are some of the key supported actions for connected machines.
Govern
Assign Azure Policy guest configurations to audit settings inside the machine. To understand the cost of using Azure Policy Guest Configuration policies with Arc-enabled servers, see Azure Policy pricing guide.
Protect
Protect non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, for vulnerability management, and to proactively monitor for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.
Use Microsoft Sentinel to collect security-related events and correlate them with other data sources.
Configure
Use Azure Automation for frequent and time-consuming management tasks using PowerShell and Python runbooks. Assess configuration changes for installed software, Microsoft services, Windows registry and files, and Linux daemons using Change Tracking and Inventory
Use Update Management to manage operating system updates for your Windows and Linux servers. Automate onboarding and configuration of a set of Azure services when you use Azure Automanage (preview).
Perform post-deployment configuration and automation tasks using supported Arc-enabled servers VM extensions for your non-Azure Windows or Linux machine.
Monitor
Monitor operating system performance and discover application components to monitor processes and dependencies with other resources using VM insights.
Collect other log data, such as performance data and events, from the operating system or workloads running on the machine with the Log Analytics agent. This data is stored in a Log Analytics workspace.
Supported regions
For a list of supported regions with Azure Arc-enabled servers, see the Azure products by region page.
In most cases, the location you select when you create the installation script should be the Azure region geographically closest to your machine's location. Data at rest is stored within the Azure geography containing the region you specify, which may also affect your choice of region if you have data residency requirements. If the Azure region your machine connects to is affected by an outage, the connected machine is not affected, but management operations using Azure may be unable to complete. If there is a regional outage, and if you have multiple locations that support a geographically redundant service, it is best to connect the machines in each location to a different Azure region.
Instance metadata information about the connected machine is collected and stored in the region where the Azure Arc machine resource is configured, including the following:
Operating system name and version
Computer name
Computer fully qualified domain name (FQDN)
Connected Machine agent version
For example, if the machine is registered with Azure Arc in the East US region, the metadata is stored in the US region.
Supported environments
Azure Arc-enabled servers support the management of physical servers and virtual machines hosted outside of Azure. For specific details about supported hybrid cloud environments hosting VMs
Agent status
The status for a connected machine can be viewed in the Azure portal under Azure Arc > Servers.
The Connected Machine agent sends a regular heartbeat message to the service every five minutes. If the service stops receiving these heartbeat messages from a machine, that machine is considered offline, and its status will automatically be changed to Disconnected within 15 to 30 minutes. Upon receiving a subsequent heartbeat message from the Connected Machine agent, its status will automatically be changed back to Connected.
If a machine remains disconnected for 45 days, its status may change to Expired. An expired machine can no longer connect to Azure and requires a server administrator to disconnect and then reconnect it to Azure to continue managing it with Azure Arc. The exact date upon which a machine will expire is determined by the expiration date of the managed identity's credential, which is valid up to 90 days and renewed every 45 days.
Service limits
Azure Arc-enabled servers has a limit for the number of instances that can be created in each resource group. It does not have any limits at the subscription or service level.
Data residency
Azure Arc-enabled servers doesn't store/process customer data outside the region the customer deploys the service instance in.