Deploy a GCP Ubuntu instance and connect it to Azure Arc using a Terraform plan

The following Jumpstart scenario will guide you on how to use the provided Terraform plan to deploy an Ubuntu Server GCP virtual machine and connect it as an Azure Arc-enabled server resource.


  • Clone the Azure Arc Jumpstart repository

    git clone
  • Install or update Azure CLI to version 2.36.0 and above. Use the below command to check your current installed version.

    az --version
  • Generate SSH Key (or use existing ssh key)

  • Create free Google Cloud account

  • Install Terraform >=1.1.9

  • Google Cloud account with billing enabled - Create a free trial account. To create Windows Server virtual machines, you must upgraded your account to enable billing. Click Billing from the menu and then select Upgrade in the lower right.

    Screenshot showing how to enable billing on GCP account

    Screenshot showing how to enable billing on GCP account

    Screenshot showing how to enable billing on GCP account

    Disclaimer - To prevent unexpected charges, please follow the “Delete the deployment” section at the end of this README

  • Create Azure service principal (SP)

    To connect the GCP virtual machine to Azure Arc, an Azure service principal assigned with the “Contributor” role is required. To create it, login to your Azure account run the below command (this can also be done in Azure Cloud Shell).

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "<Unique SP Name>" --role "Contributor" --scopes /subscriptions/$subscriptionId

    For example:

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "JumpstartArc" --role "Contributor" --scopes /subscriptions/$subscriptionId

    Output should look like this:

    "displayName": "JumpstartArc",

    NOTE: If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password.

    NOTE: The Jumpstart scenarios are designed with as much ease of use in-mind and adhering to security-related best practices whenever possible. It is optional but highly recommended to scope the service principal to a specific Azure subscription and resource group as well considering using a less privileged service principal account

  • Azure Arc-enabled servers depends on the following Azure resource providers in your subscription in order to use this service. Registration is an asynchronous process, and registration may take approximately 10 minutes.

    • Microsoft.HybridCompute

    • Microsoft.GuestConfiguration

    • Microsoft.HybridConnectivity

      az provider register --namespace 'Microsoft.HybridCompute'
      az provider register --namespace 'Microsoft.GuestConfiguration'
      az provider register --namespace 'Microsoft.HybridConnectivity'

      You can monitor the registration process with the following commands:

      az provider show --namespace 'Microsoft.HybridCompute'
      az provider show --namespace 'Microsoft.GuestConfiguration'
      az provider show --namespace 'Microsoft.HybridConnectivity'

Automation Flow

For you to get familiar with the automation and deployment flow, below is an explanation.

  1. User creates and configures a new GCP project along with a Service Account key which Terraform will use to create and manage resources

  2. User edits the tfvars to match the environment.

  3. User runs terraform init to download the required terraform providers

  4. User runs the automation. The terraform plan will:

    • Create a Windows Server VM in GCP
    • Create an Azure Resource Group
    • Install the Azure Connected Machine agent by executing a PowerShell script when the VM is first booted. Optionally a semi-automated deployment is provided if you want to demo/control the actual registration process.
  5. User verifies the VM is create in GCP and the new Azure Arc-enabled resource in the Azure portal.

Create a new GCP Project

  • Browse to and login with your Google Cloud account. Once logged in, create a new project named “Azure Arc Demo”. After creating it, be sure to copy down the project id as it is usually different than the project name.

    Screenshot of GCP Cloud console create project screen

    Screenshot of GCP cloud new project screen

  • Once the new project is created and selected in the dropdown at the top of the page, you must enable Compute Engine API access for the project. Click on “Enable APIs and Services” and search for “Compute Engine”. Then click Enable to enable API access.

    Screenshot of GCP console showing enabling Compute Engine API

    Screenshot of GCP console showing enabling Compute Engine API

  • Next, set up a service account key, which Terraform will use to create and manage resources in your GCP project. Go to the create service account key page. Select “New Service Account” from the dropdown, give it a name, select Project then Owner as the role, JSON as the key type, and click Create. This downloads a JSON file with all the credentials that will be needed for Terraform to manage the resources. Copy the downloaded JSON file to the azure_arc_servers_jumpstart/gcp/ubuntu/terraform directory.

    Screenshot of GCP cloud console showing creation of service account

    Screenshot of GCP cloud console showing creation of service account

  • Finally, make sure your SSH keys are available in ~/.ssh and named and id_rsa. If you followed the ssh-keygen guide above to create your key then this should already be setup correctly. If not, you may need to modify to use a key with a different path.


The only thing you need to do before executing the Terraform plan is to create the tfvars file which will be used by the plan. This is based on the Azure service principal you’ve just created and your subscription.

  • Navigate to the terraform folder and fill in the terraform.tfvars file with the values for your environment.

  • Run the terraform init command which will download the required terraform providers.

    Screenshot showing terraform init being run

  • Next, run the terraform apply --auto-approve command and wait for the plan to finish. Upon completion, you will have a GCP Ubuntu VM deployed and connected as a new Azure Arc-enabled server inside a new resource group.

  • Open the Azure portal and navigate to the resource group “Arc-GCP-Demo”. The virtual machine created in GCP will be visible as a resource.

    Screenshot of Azure Portal showing Azure Arc-enabled server

Semi-Automated Deployment (Optional)

  • As you may have noticed, the last step of the run is to register the VM as a new Azure Arc-enabled server resource.

    Screenshot showing azcmagent connect script

  • If you want to demo/control the actual registration process, do the following:

  • In the script template, comment out the “Run connect command” section and save the file.

    Screenshot showing azcmagent connect commented out

  • Get the public IP of the GCP VM by running terraform output

    Screenshot showing terraform output

  • SSH the VM using the ssh arcdemo@x.x.x.x where x.x.x.x is the host ip.

  • Provide values to the environment variables to match your environment in the file Export the variables by copying and pasting the contents of the file

    Screenshot showing export of environment variables from

  • Run the following command:

    sudo azcmagent connect \
        --service-principal-id "${appId}" \
        --service-principal-secret "${appPassword}" \
        --tenant-id "${tenantId}" \
        --subscription-id "${subscriptionId}" \
        --location "${location}" \
        --resource-group "${resourceGroup}" \
        --resource-name $HOSTNAME \
        --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"

    Screenshot of azcmagent connect being run

  • When complete, your VM will be registered with Azure Arc and visible in the resource group inside Azure Portal.

Delete the deployment

To delete all the resources you created as part of this demo use the terraform destroy --auto-approve command as shown below.

Screenshot of terraform destroy being run

Alternatively, you can delete the GCP VM directly from GCP Console.

Screenshot of deleting VM from GCP cloud console