Enable Azure Automanage on an Azure Arc-enabled servers using an ARM Template

The following Jumpstart scenario will guide you on how to onboard an Azure Arc-enabled server onto Azure Automanage, so you can follow best practices in reliability, security, and management for Azure Arc-enabled servers using Azure services such as Azure Update Management and Azure Monitor.

Azure Automanage removes the need to discover virtual machines manually and automatically onboards and configures certain services in Azure following best practices as defined in Microsoft Cloud Adoption Framework for Azure. Azure services included in Azure Automanage are:

By the end of this scenario, you will have an Azure Arc-enabled server with Azure Automanage enabled and configured following Microsoft Cloud Adoption Framework best practices for Dev/Test or Production environments.

NOTE: This guide assumes you already deployed VMs or servers that are running on-premises or other clouds and you have connected them to Azure Arc but If you haven’t, this repository offers you a way to do so in an automated fashion:

Prerequisites

  • As mentioned, this scenario starts at the point where you already deployed and connected VMs or bare-metal servers to Azure Arc. For this scenario we will be using a Google Cloud Platform (GCP) instance that has been already connected to Azure Arc and is visible as a resource in Azure.

    Screenshot of Azure Portal showing Azure Arc-enabled server

    Screenshot of Azure Portal showing Azure Arc-enabled server detail

  • Install or update Azure CLI. Azure CLI should be running version 2.7*- or later. Use az --version to check your current installed version.

  • Create Azure service principal (SP)

    To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the “Contributor” role is required. To create it, login to your Azure account run the below command (this can also be done in Azure Cloud Shell).

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "<Unique SP Name>" --role "Contributor" --scopes /subscriptions/$subscriptionId
    

    For example:

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "JumpstartArc" --role "Contributor" --scopes /subscriptions/$subscriptionId
    

    Output should look like this:

    {
    "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "displayName": "JumpstartArc",
    "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

    NOTE: If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password.

    NOTE: The Jumpstart scenarios are designed with as much ease of use in-mind and adhering to security-related best practices whenever possible. It is optional but highly recommended to scope the service principal to a specific Azure subscription and resource group as well considering using a less privileged service principal account

Deployment Options and Automation Flow

This Jumpstart scenario provides multiple paths for deploying and configuring resources. Deployment options include:

  • Azure portal
  • ARM template via Azure CLI

For you to get familiar with the automation and deployment flow, below is an explanation.

  • User provides the ARM template parameter values, either via the portal or editing the parameters file. These parameters values are used throughout the deployment.

  • User will run the ARM template at resource group level.

Deployment Option 1: Azure portal

  • Click the button and enter values for the the ARM template parameters.

    Screenshot showing Azure portal deployment

    Screenshot showing Azure portal deployment

Deployment Option 2: ARM template with Azure CLI

  • In order to keep your local environment clean and untouched, we will use Azure Cloud Shell to run the ARM template.

    Screenshot showing Azure Cloud Shell

  • Clone the Azure Arc Jumpstart repository

    git clone https://github.com/microsoft/azure_arc.git
    
  • To run the automation, navigate to the deployment folder and edit the parameters file

    • machineName: Name of your Azure Arc-enabled server as it is shown in the Azure Portal.
    • configurationProfileName: refers to the environment of your Azure Arc-enabled server as Azure Automanage has different profiles. Values can be: “Production” or “DevTest”.

    Parameters

  • From the deployment folder run the below command:

      az deployment group create --resource-group <your_resource_group> --template-file automanage.json --parameters automanage.parameters.json
    

    Scripts output

    NOTE: For the script to work properly you must run this command from the deployment folder. The extra dot is due to the shell script having an export function and needs to have the vars exported in the same shell session as the rest of the commands.

  • After the script has finished its run you will have Azure Automanage enabled. You should be able to see the Azure Arc-enabled Server under ‘Automanage – Azure machine best practices’ with the Status set in ‘Configured’.

    Azure Automanage search Azure Arc-enabled server in Azure Automanage

    NOTE: it may take upto 30 minutes for the script to finish its run

Clean up environment

Complete the following steps to clean up your environment. To disable Azure Automanage you will use the Azure portal, go to the Automanage – Azure virtual machine best practices page that lists all of your auto-managed VMs. Select the checkbox next to the Azure Arc-enabled Server you want to disable from Automanage, then click on the Disable automanagement button.

Disable Azure Automanage