Building a hybrid governance solution using Azure Arc
A few years ago, all customers and partners I met with stated more or less the same introductory sentence, “We build hybrid solutions.” The implication was then, that all solutions would use whatever the customer would have as on-premises, and the extension would come from Office 365 (before Microsoft 365 was announced) and Azure. I would often query, what exactly, was the hybrid approach – and what was the need? I don’t see hybrid Facebook, WhatsApp or New York Times subscription solutions, either. Is there a demand for this?
Fast forward to today, and we’re all semi-violently agreeing and nodding our heads that the cloud is here to stay. While on-premises is perhaps not growing at all anymore, it still has a meaningful and relevant role for a lot of organizations. I love running my local VMs, as they are relatively cheap and more than enough for my needs. When I move into production usage, I often migrate those solutions to Azure.
Late last year, Microsoft announced Azure Arc during Ignite 2019. In a nutshell, Azure Arc is a set of technologies allowing you to govern and manage services across environments. Today, it’s in public preview and you can try it out yourself, for free. Pricing is yet to be announced.
I set out to build a working hybrid governance solution using Azure Arc. Here’s how that went.
Provisioning my on-premises virtual machines
As Azure Arc currently supports managing and governing virtual machines, I need virtual machines. I’m running Hyper-V on top of Windows 10, so I provisioned two VMs to try out Azure Arc:
- 1 Ubuntu Linux VM using the Quick Create feature of Hyper-V
- 1 Windows Server 2019
Both VMs are patched, and relatively dull as they don’t have any real workloads.
Just to make this more fun, I also built the Site-to-Site VPN between my home network and Azure. You can review that setup here. I want to stress the fact that building the VPN is not required for Azure Arc to function properly.
Provisioning Azure Arc
Next, in Azure Portal, I’ll build the actual Azure Arc implementation. Again, Microsoft made this simple and fun. From Azure Marketplace, you can find Azure Arc for servers (Preview), which allows you to kickstart the provisioning process.
You can choose to add machines individually (with a script), or at scale. Since I only have two VMs, I’ll add them interactively using a script.
You can define the VMs type (Windows or Linux), and that’s mostly everything there is to it.
Once you click Review + generate, you’ll get the provisioning script. For Windows, it’s a PowerShell script. For Linux, it’s a Bash shell script.
Once you run the script on your local VM, you’ll need to log in to Azure to confirm the provisioning. This is why the script is called interactive. For unattended provisioning, see the guidance here.
After a few minutes, Azure Arc should light up on the portal and show you the projected VMs from your on-premises environment.
(I couldn’t find a straightforward way to rename my Windows VM after provisioning it in Azure Arc – that’s why it shows as WIn-3Qblah-blah-blah).
What can I do with Azure Arc now, then? Well, I can govern them with Azure Policies. Opening Operations > Policies, I can now push pre-defined policies from Azure down to the VM I have running at home. I’ve chosen three policies to push to the Windows VM:
Admittedly, the first policy is not really relevant but it was a left-over policy from one of my Azure Governance demos from 2019. The two other policies are relevant, as they automatically deploy the Azure Log Analytics agent on VMs – and thus I can receive monitoring data from the VMs back to Azure.
In summary
Azure Arc is very easy to get started with. The benefits it brings will be exciting down the road, as organizations can build a true hybrid governance and management solution using minimal effort. This also means that the transition from older management solutions, such as Group Policy Objects with Active Directory, might require a hard look as they are not compatible with Azure Arc as such.