Azure Arc-enabled Servers
Two day challenge hack going deeper on operations and management for Azure Arc-enabled servers.
Introduction
This is a two day hack to get you skilled up in the various aspects of using Azure Arc to onboard VMs outside of Azure and leverage the management plane and range of services to transform how you manage your hybrid estates.
The hack is used in the UK to enable partners and those partners will make use of Azure Passes with pre-created resources to accelerate the hack. You are absolutely free to reuse the content yourself as it is 100% public, including the repository used to create the “on prem” resources.
The hack is a challenge hack, so each section gives you a number of challenges to meet, plus a set of links for your reference. As you complete each section you will screen share with your proctor to confirm the success criteria has been met before moving on to the next section.
Content
Prereqs
Attending an Azure Arc for Management & Governance hack? If so then complete these first.
Scenario
Your customer, Wide World Importers, would like a small proof of concept before moving forward with a larger Azure Arc project. Get the background and their initial requirements.
Hack Overview
Brief overview covering the flow of labs within this hack.
Azure Landing Zone
Deploy a default Azure Landing Zone using the Bicep repo.
Arc Pilot resource group
Create a target resource group, plus a few resources and tag inheritance policies.
Azure Monitoring Agent
Summary of the switch from legacy agents (MMA, Dependency) to the Azure Monitor Agent. Enable VM Insights with the AMA.
Additional policy assignments
Explore some of the other built-in and custom policies for Azure Arc-enabled servers. Assign a few additional policies.
Access your on prem VMs
Check you can access your Windows and Linux on prem virtual machines. Plus additional info for Cloud Shell and Code Tunnels.
Create onboarding scripts
Create the Bash and PowerShell scripts for onboarding using the service principal.
Onboarding using scripts
Create the Bash and PowerShell scripts for onboarding using the service principal.
Inventory
Start simple with inventory. Customise the Azure Arc-enabled Servers view and then create a resource graph query that can go across subscriptions.
Monitoring
Configure the new Azure Monitor agent and Data Collection Rules. Optionally integrate with 'Microsoft Defender for Cloud' and Azure Sentinel.
SSH
Configure SSH for your Azure Arc-enabled Servers.
Windows Admin Center
Configure Windows Admin Center in the Azure Portal to manage on prem Windows servers.
Governance
Use Azure Policy and the Guest Configuration policy definitions to govern your on prem resources and prove compliance.
Custom Script Extension
The custom script extension opens up opportunities to automate PowerShell and Bash scripts at scale for both cloud and on prem servers.
Key Vault Extension
Rotating server certificates in a large estate has always been a administration hassle, so let this key vault extension take the heavy lifting for both Azure and Azure Arc-enabled VMs.
Managed Identity
Each connected machine has a system assigned managed identity. This lab will walk through using the REST API calls on your Arc-enabled servers to get challenge tokens, resource tokens and access the ARM and PaaS API endpoints
On Prem VMs
You will need some on premises servers to onboard and connect to Azure as part of the pilot. Create then on the platform of your choice, or spin them up in Azure using our Terraform repo.