Enable Azure Automanage on an Azure Arc-enabled servers using an ARM Template
The following Jumpstart scenario will guide you on how to onboard an Azure Arc-enabled server onto Azure Automanage, so you can follow best practices in reliability, security, and management for Azure Arc-enabled servers using Azure services such as Azure Update Management and Azure Monitor.
Azure Automanage removes the need to discover virtual machines manually and automatically onboards and configures certain services in Azure following best practices as defined in Microsoft Cloud Adoption Framework for Azure. Azure services included in Azure Automanage are:
- Microsoft Antimalware
- Change Tracking & Inventory
- Update Management
- Machines Insights Monitoring
- Azure Guest Configuration
- Azure Automation Account
- Log Analytics workspace
By the end of this scenario, you will have an Azure Arc-enabled server with Azure Automanage enabled and configured following Microsoft Cloud Adoption Framework best practices for Dev/Test or Production environments.
NOTE: This guide assumes you already deployed VMs or servers that are running on-premises or other clouds and you have connected them to Azure Arc but If you haven’t, this repository offers you a way to do so in an automated fashion:
- Azure Stack HCI Windows VM
- GCP Ubuntu instance
- GCP Windows instance
- AWS Ubuntu EC2 instance
- AWS Amazon Linux 2 EC2 instance
- Azure Ubuntu VM
- Azure Windows VM
- VMware vSphere Ubuntu VM
- VMware vSphere Windows Server VM
- Vagrant Ubuntu box
- Vagrant Windows box
Prerequisites
-
As mentioned, this scenario starts at the point where you already deployed and connected VMs or bare-metal servers to Azure Arc. For this scenario we will be using a Google Cloud Platform (GCP) instance that has been already connected to Azure Arc and is visible as a resource in Azure.
-
Install or update Azure CLI. Azure CLI should be running version 2.7*- or later. Use
az --version
to check your current installed version. -
Create Azure service principal (SP)
To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the “Contributor” role is required. To create it, login to your Azure account run the below command (this can also be done in Azure Cloud Shell).
az login subscriptionId=$(az account show --query id --output tsv) az ad sp create-for-rbac -n "<Unique SP Name>" --role "Contributor" --scopes /subscriptions/$subscriptionId
For example:
az login subscriptionId=$(az account show --query id --output tsv) az ad sp create-for-rbac -n "JumpstartArc" --role "Contributor" --scopes /subscriptions/$subscriptionId
Output should look like this:
{ "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "displayName": "JumpstartArc", "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX" }
NOTE: If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password.
NOTE: The Jumpstart scenarios are designed with as much ease of use in-mind and adhering to security-related best practices whenever possible. It is optional but highly recommended to scope the service principal to a specific Azure subscription and resource group as well considering using a less privileged service principal account
Deployment Options and Automation Flow
This Jumpstart scenario provides multiple paths for deploying and configuring resources. Deployment options include:
- Azure portal
- ARM template via Azure CLI
For you to get familiar with the automation and deployment flow, below is an explanation.
-
User provides the ARM template parameter values, either via the portal or editing the parameters file. These parameters values are used throughout the deployment.
-
User will run the ARM template at resource group level.
Deployment Option 1: Azure portal
Deployment Option 2: ARM template with Azure CLI
-
In order to keep your local environment clean and untouched, we will use Azure Cloud Shell to run the ARM template.
-
Clone the Azure Arc Jumpstart repository
git clone https://github.com/microsoft/azure_arc.git
-
To run the automation, navigate to the deployment folder and edit the parameters file
machineName
: Name of your Azure Arc-enabled server as it is shown in the Azure Portal.configurationProfileName
: refers to the environment of your Azure Arc-enabled server as Azure Automanage has different profiles. Values can be: “Production” or “DevTest”.
-
From the deployment folder run the below command:
az deployment group create --resource-group <your_resource_group> --template-file automanage.json --parameters automanage.parameters.json
NOTE: For the script to work properly you must run this command from the deployment folder. The extra dot is due to the shell script having an export function and needs to have the vars exported in the same shell session as the rest of the commands.
-
After the script has finished its run you will have Azure Automanage enabled. You should be able to see the Azure Arc-enabled Server under ‘Automanage – Azure machine best practices’ with the Status set in ‘Configured’.
NOTE: it may take upto 30 minutes for the script to finish its run
Clean up environment
Complete the following steps to clean up your environment. To disable Azure Automanage you will use the Azure portal, go to the Automanage – Azure virtual machine best practices page that lists all of your auto-managed VMs. Select the checkbox next to the Azure Arc-enabled Server you want to disable from Automanage, then click on the Disable automanagement button.
-
Remove the virtual machines from each environment by following the teardown instructions from each guide.