Azure Arc-enabled servers connectivity behind a proxy server

The following Jumpstart scenario will guide you on how to configure your Azure Arc-enabled server if the machine uses a proxy server to communicate over the internet.

In this scenario, you will emulate a full proxy-client configuration. The scenario will deploy both the proxy server and a client that will be Arc-enabled automatically with the agent configured to use the proxy. The automation for the proxy server deployment makes sure that the Azure Arc network service tags and IP addresses range are not blocked. To complete this process you deploy a single ARM template that will:

  • Deploy two Azure Linux VMs:
    • Proxy Server.
    • Client VM.
  • Two network security groups:
    • Proxy Server NSG: allows inbound connections to port 22 and 3128 (proxy’s port).
    • Client VM NSG: denies all outbound connections and only allows inbound for SSH.
  • Each VM will have a custom script extension deployed:
    • Proxy Server: will have a script to deploy and configure Squid proxy.

    • Client VM: will use the custom script extension to install and configure the Connected Machine agent using the proxy connection.

      NOTE: It is not expected for an Azure VM to be projected as an Azure Arc-enabled server. The below scenario is unsupported and should ONLY be used for demo and testing purposes.

Prerequisites

  • Install or update Azure CLI. Azure CLI should be running version 2.36.0 or later. Use az --version to check your current installed version.

  • Azure Arc-enabled servers depends on the following Azure resource providers in your subscription in order to use this service. Registration is an asynchronous process, and registration may take approximately 10 minutes.

    • Microsoft.HybridCompute

    • Microsoft.GuestConfiguration

    • Microsoft.HybridConnectivity

      az provider register --namespace 'Microsoft.HybridCompute'
      az provider register --namespace 'Microsoft.GuestConfiguration'
      az provider register --namespace 'Microsoft.HybridConnectivity'
      

      You can monitor the registration process with the following commands:

      az provider show --namespace 'Microsoft.HybridCompute'
      az provider show --namespace 'Microsoft.GuestConfiguration'
      az provider show --namespace 'Microsoft.HybridConnectivity'
      

Deployment Options and Automation Flow

This Jumpstart scenario provides multiple paths for deploying and configuring resources. Deployment options include:

  • Azure portal
  • ARM template via Azure CLI

For you to get familiar with the automation and deployment flow, below is an explanation.

  1. User provides the ARM template parameters values, either via the portal or editing the parameters file. These parameter values are being used throughout the deployment.

  2. User deploys the ARM template at the resource group level.

  3. User logs in to the Client’s VM using SSH or Azure Bastion to trigger the Azure Arc onboarding script.

Deployment Option 1: Azure portal

  • Click the button and enter values for the the ARM template parameters.

    Screenshot showing Azure portal deployment

    Screenshot showing Azure portal deployment

Deployment Option 2: ARM template with Azure CLI

As mentioned, this deployment will leverage ARM templates.

  • Clone the Azure Arc Jumpstart repository

    git clone https://github.com/microsoft/azure_arc.git
    
  • Before deploying the ARM template, login to Azure using AZ CLI with the az login command.

  • The deployment will use an ARM template parameters file to customize your environment. Before initiating the deployment, edit the azuredeploy.parameters.json file located in your local cloned repository folder. Example parameters files are located here. Fill out the parameters according to your environment:

    • vmSize: Client and proxy server Azure VM size.
    • vmName: Client Azure VM name.
    • ProxyvmName: Proxy server Azure VM name.
    • adminUsername: Azure VMs admin username.
    • adminPassword: A password for Client and Server.
    • dnsLabelPrefix: DNS label for the Public IP address of the client.
    • proxydnsLabelPrefix: DNS label for the Public IP address of the server.
    • ProxysubnetName: Proxy subnet name.
    • subnetName: Client subnet name.
    • proxyNSG: Proxy NSG name.
    • vmNSG: Client NSG name.
    • subscriptionID: your Subscription ID.
    • servicePrincipalClient: Service Principal AppId.
    • servicePrincipalClientSecret: Service Principal password.
    • tenantID: your tenant ID.
    • resourceGroup: your resource group.
    • deployBastion: boolean, true or false if you want to deploy bastion to connect to the VMs.
    • bastionHostName: Azure Bastion Host name.
  • To deploy the ARM template, navigate to the local cloned deployment folder and run the below command.

    az group create --name <Name of the Azure resource group> --tags "Project=jumpstart_azure_arc_servers"
    az deployment group create \
    --resource-group <Resource Group Name> \
    --name <Deployment Name> \
    --template-file <The *azuredeploy.json* template file location> \
    --parameters <The *azuredeploy.parameters.json* parameters file location>
    

    NOTE: make sure that you are using the same Azure resource group name as the one you’ve just used in the azuredeploy.parameters.json file

    For example:

    az group create --name Arc-Proxy-Demo --tags "Project=jumpstart_azure_arc_servers" 
    az deployment group create \
    --resource-group Arc-Proxy-Demo \
    --name proxy \
    --template-uri https://raw.githubusercontent.com/microsoft/azure_arc/main/azure_arc_servers_jumpstart/proxy/azuredeploy.json \
    --parameters azuredeploy.example.parameters.json
    
  • Verify the resources are created on the Azure portal on the resource group:

    Resources created on resource group

Linux Login & Post Deployment

  • Now that the resources are created, it is time to connect to the client’s VM.

  • At first login, as mentioned in the “Automation Flow” section, a logon script will get executed. This script was created as part of the automated deployment process.

  • Let the script to run its course and do not close the shell session.

    NOTE: The script run time is ~1-2min long.

    Screenshot script output

  • Upon successful run, a new Azure Arc-enabled server will be added to the resource group.

    Screenshot Azure Arc-enabled server on resource group

Azure Arc-enabled server Proxy connectivity

To make sure that your Azure Arc-enabled server is using the proxy for its connection. Connect to the server and run the command below:

  sudo azcmagent.exe show

Screenshot Azure Arc-enabled server on resource group

Delete the deployment

The most straightforward way is to delete the resource groups:

Delete Resource Group