Azure Arc Enable Everything!

When I first heard Microsoft talk about Azure Arc, the vision for hybrid IT sounded interesting, but technical details were thin on the ground. Fast forward to now and there are so many different technologies that can be connected via Azure Arc it's hard to keep up.

This article builds on two earlier ones, here and here, but a lot has happened since April 2021.

I'm going to cover what Azure Arc is, how it can fit into your overall IT strategy, and your cyber security resilience, plus looking at some exciting new areas where there are public previews available.

Azure Arc in a Nutshell
With apologies to Shakespeare, Azure Arc is a set of technologies to enable hybrid IT, connecting "something" to Azure to enable it to be managed by Azure's governance features, such as Azure Policy, Role Based Access Control (RBAC) and Defender for Cloud.

Azure Arc Control Plane
[Click on image for larger view.] Azure Arc Control Plane (source: Microsoft).

The most obvious flavor of this is Azure Arc-enabled servers. Take Windows and Linux VMs and physical servers, running anywhere (another cloud, hosting provider, on-premises and so on), install the Azure Connected Machine agent on it and it'll appear in the Azure portal, alongside any Infrastructure-as-a-Service (IaaS) VMs you have there. Once attached, you can use Azure Policy to apply guest configurations inside the server, automatically onboard to Defender for Endpoint (EDR) through Defender for Cloud, collect logs for Microsoft Sentinel, use Azure Automation to run PowerShell or Python runbooks, apply Windows and Linux OS patches with Update Management and monitor the VM and workloads it runs using Azure Monitor/Log Analytics workspaces. Note that Arc-enabled servers work hand-in-glove with Azure Automanage, a set of features in Azure to make managing and maintaining IaaS VMs less onerous and more like using a PaaS platform.

Next up is Arc-enabled Kubernetes, where any Cloud Native Computing Foundation (CNCF) Kubernetes cluster anywhere (another public cloud, on-premises on VSphere/Azure Stack HCI) is connected and appears alongside any Azure Kubernetes Services (AKS) cluster you may have in Azure. You can then deploy applications and configurations using GitOps, observe the clusters using Azure Monitor for containers, enable Microsoft Defender for Kubernetes, use Azure Policy, manage access using Azure AD and do all of this securely without opening inbound ports using Cluster Connect.

Once you have Kubernetes in place, if you have the business need, you can take the next step to Arc-enabled data services. Here you get SQL Managed Instance or PostgreSQL (preview), which is kept up to date automatically from the Microsoft Container Registry (you set installation times in your policies), elastic scale, unified management, self-service provisioning and in-built backup. There's also Arc-enabled SQL Server for centralized management of all your SQL Server databases. This also lets you gather best practices assessments across your entire SQL Server fleet, no matter where it physically runs, use Azure AD authentication, enable Defender for Cloud for protection and use Microsoft Purview to scan for sensitive data, no matter where it's located.

Those features have been there for some time, and if you fancy a hands-on play to understand how it all works, I recommend the Jumpstart ArcBox project, which lets you spin up ready-made VMs in Azure with everything pre-deployed for you, alongside tons of documentation and tutorials to test different scenarios. There's a flavor with all features enabled, one for IT pros, one for DevOps engineers and one for DataOps. There's also a Jumpstart HCI Box to try out Azure Stack HCI (see below).

Arc-Enabled VMware vSphere
Next is Arc-enabled VMware vSphere, currently in preview, enabling lifecycle operations from Azure such as create, resize, and delete plus start and stop VMs. You can also install the guest agent to manage the OS inside the VMs. This functionality relies on the new Azure Arc resource bridge (itself in preview) which is a virtual appliance that you deploy in your vSphere cluster. Currently vCenter Server 6.7 and 7 are supported, with up to 9500 VMs, but as this is a preview I expect support to expand before General Availability.

VMware VMs Alongside Azure VMs
[Click on image for larger view.] VMware VMs Alongside Azure VMs (source: Microsoft).

As cool as this is -- and perhaps some diehard VMware fans who see the cloud as a death threat to their beloved on-premises tin might start to see the power of the cloud if they test this out -- I'm much more excited by the more recent preview of Arc-enabled System Center Virtual Machine Manager.

Arc-Enabled System Center Virtual Machine Manager
Predictably, the next cab of the preview rank (does that analogy work in today's Uber world?) is Arc-enabled System Center Virtual Machine Manager (VMM), which came out in preview mid last year. This gives you a single management plane for your VMs, whether they're running on-premises or in Azure. Just like with VMware it relies on the resource bridge and likewise you can start, stop, pause and delete VMM machines from Azure and browse your VMM resources (VMs, clouds, networks, storage and templates) from Azure.

Seeing VMM Clouds in the Azure Portal
[Click on image for larger view.] Seeing VMM Clouds in the Azure Portal (source: Microsoft).

VMM 2016, 2019 and 2022 are supported, up to 3,500 VMs, and just like with VMware you can provide fine-grained permissions to VMM resources using Azure RBAC.

Virtual Machine Manager VMs in the Azure Portal
[Click on image for larger view.] Virtual Machine Manager VMs in the Azure Portal (source: Microsoft).

Arc-Enabled VMs on Azure Stack HCI
The third scenario that the resource bridge enables is Azure Stack HCI VMs. As a quick recap (if Microsoft dizzying speed of product renames leaves you confused), Azure Stack HCI is the new version of Windows Server for on-premises deployments. Windows Server 2022 is still around, but Azure Stack HCI is where all the cool, new features appear.

You can either purchase pre-integrated clusters from your favorite OEM vendor (including Microsoft itself soon), from two-node clusters suitable for small branch offices or retail stores, all the way up to 16 node behemoths, or build it yourself from supported hardware. There's even the option to rent the hardware as a service from HPE or Lenovo.

Once you deploy the resource bridge and Arc-enable your Azure Stack HCI cluster, not only can you manage deployed VMs from the cloud, you can also deploy VMs to your on-premises clusters using Azure VM images. We did this in a training I delivered a couple of weeks ago and it was quite something seeing a Linux VM from the Azure marketplace start on an on-premises cluster. To top it off, the best UI to manage Azure Stack HCI is the free Windows Admin Center, which of course you can run locally on the cluster but now you can also run it in the Azure Portal. So your on-premises hardware cluster can be managed from Windows Admin Center in the Azure portal and you can deploy VMs from the cloud onto on-premises. If that's not hybrid IT, bringing the power of the cloud to on-premises, I'm not sure what is.

Azure Stack HCI VM Managed from the Azure Portal
[Click on image for larger view.] Azure Stack HCI VM Managed from the Azure Portal (source: Microsoft).

Interestingly, neither Google nor AWS have anything comparative in scope to Azure Arc; their approach to hybrid is either deploy a rack that runs their cloud (AWS Outpost) or cloud-enable a Kubernetes cluster.

Azure Arc Resource Bridge
I've mentioned the resource bridge a few times, so lets look at it more in-depth. It's a packaged VM that hosts a management Kubernetes cluster that you deploy on your on-premises infrastructure (one of the three mentioned above) plus an Azure Resource Manager (ARM) resource in your Azure subscription. These two are then connected to facilitate communication from Azure to on-premises. The resource bridge is fully supported by Microsoft, including updates.

Resource Bridge Architecture
[Click on image for larger view.] Resource Bridge Architecture (source: Microsoft).

In the preview there are two parts to the bridge, cluster extensions for (VMware, Azure Stack HCI and VMM) and custom locations where VMs can be deployed (an individual Azure Stack HCI cluster for example).

I think Azure Arc provides the most complete vision of what hybrid IT should look like. There are some very powerful capabilities and I'm looking forward to what it'll end up looking like when these new features come out of preview. Some parts of Azure Arc is free, but there are some features that incur a cost. Oh, and Azure "Arc" is not an acronym, a question I often get from my students; it's just a name.


Subscribe on YouTube