Forum Widgets
Latest Discussions
From On-premises Datacenter to Azure Hybrid with Azure Arc for Servers
With Microsoft Azure Arc services you can bring Great Azure features to your on-prem datacenters, or to other Cloud providers. I wrote a #MVPLABSerie Blogposts about the benefits of Azure Hybrid which I like to share with the Tech Community: #MVPLABSerie Azure Hybrid with Arc Enabled Windows Servers on-premises #MVPLABSerie Azure Arc enabled Servers #MVPLABSerie Azure Update Management Center (Preview) and Azure Arc enabled Servers #MVPLABSerie Azure Arc enabled SQL Server Health Assessment #MVPLABSerie Azure Defender for Cloud with Azure Arc enabled SQL Server Security Baseline for Azure Arc enabled Servers and Arc Kubernetes As an IT Specialist of Datacenter(s) and Cloud I really like these Azure hybrid benefits to keep your datacenter up-to-date and secure! Hope this #MVPLABSerie is helpful for you and your Business. Cheers, JamesIntroducing Azure Arc Discussion Space
Azure Arc helps you extend Azure management to any infrastructure and enables deployment of Azure data services anywhere - across on-premises, edge, and multicloud. We created this discussion space for you so that you can discuss Azure Arc enabled servers, Azure Arc enabled Kubernetes, Azure Arc enabled SQL Server, and Azure Arc enabled data services, and also ask questions from us. You will find the product overview of Azure Arc here Azure Arc documentation can be found here. -Marko
LAB: Azure Arc with Private Endpoint
What is Azure Arc? Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud. With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape. This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure. What is Azure Private Endpoint? Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. By using a private IP address from your virtual network, the private endpoint brings the service into your virtual network, ensuring that traffic between your virtual network and the service remains private. This setup eliminates exposure from the public internet, enhancing security. Private endpoints can be used with various Azure services, such as Azure Storage, Azure SQL Database, and Azure Cosmos DB. They provide secure connectivity between clients on your virtual network and the service, using the same connection strings and authorization mechanisms as public endpoint. What are the benefits of configuring private link for your arc machines? Enabling Azure Arc for your machines involves several network and system requirements. Organizations are sometimes concerned about allowing certain public endpoints through their firewall and proxy. In this context, Private Endpoints can be used to ensure that some connections to Azure remain within the Microsoft backbone network. While this service does not eliminate the need for internet connectivity entirely, you will still need to allow public access for Microsoft Entra ID and Azure Resource Manager servers. However, this method significantly reduces the challenge of IP/FQDN whitelisting for internet access. When you create private endpoints in a virtual network for Azure Arc, it will create a resource with Azure Hybrid Compute as the target. Additionally, it will create several private DNS zones and assign them to the private endpoint. The private endpoint will have IPs assigned from the specified virtual network address range. See the screenshot below. These IPs are now directly linked to Azure Arc services, enabling private connectivity through Azure LAB Architectural Diagram LAB Pre-requisites An On-premises machine. (Internet traffic can be directed firewall or proxy for security) On-premises DNS An Azure Subscription VPN/Express-route Connection between On-premises and Azure Infrastructure Understand the Limitations and features The components that will be created as part of LAB A private endpoint which has Hybrid compute as source point Private DNS zones for Azure Arc services A private DNS resolver in Azure. Azure DNS doesnt accesspt dns queries coming from non-azure sources. Hence you need to configure azure private dns zone . You will get a private IP while creating inbound enpoint for resolver. DNS Forwarder need to be created in on-premise DNS to private IP of Azure private DNS resolver's inbound IP Powershell script to onboard machine Azure arc machine : Will be created once on premise machine gets connected to azure arc. Traffic flow There are three kind of traffic flow is involved here. DNS flow: To resolve the domain names of private endpoints Private endpoint flow: Actual traffic to Azure arc services Internet flow: Traffic to Microsoft Entra ID and Azure Resource manager control plane Private endpoint and private DNS Flow Let's suppose the Azure Arc agent initiates traffic to one of the Azure Arc services FQDNs, such as gbl.his.arc.azure.com. On-premises machines need to resolve the FQDN to an IP address, so they send a DNS request to the on-premises DNS server. The DNS forwarder is configured to send *.gbl.his.arc.azure.com DNS queries to the Private DNS resolver configured in Azure. The Private DNS resolver receives the DNS query and resolves it, as these domains are already linked to the virtual network where the resolver resides. Once the on-premises DNS server receives the IP resolution from the Azure DNS resolver, it sends it back to the on-premises machine. Now that the on-premises machine has the IP (private IP), it sends the actual traffic to the IP of the private endpoint. The private endpoint receives the traffic, and since this interface is directly linked to the Azure Arc services (the intended destination), the connectivity is successfully established. Steps: Generate Onboarding script. Private endpoint can be created while generating the script itself. Go to Azure Arc-->Machines-->Create You can select option which best suited for you. I am selecting Add multiple servers. Provide Resource Group,Region,OS details. Create Private endpoint using option provided Provide Virtual Network and subnet for private endpoint Provide or create new service principal. Note secret of service principal Goto Download and run script session. You can copy script and run it directly or you can download script and run it. Please do not forget to update service principal secret in script. You can verify the resources created as part of Private endpoint created There will be three private DNS zones created A private endpoint resource will be created with hybrid compute as target resource Create a private DNS resolver and inbound endpoint in it. Provide necessary details. Add inbound endpoint and click create Note the private IP of inbound endpoint, which is needed to specify DNS forwarder in on-premise Configure DNS forwarder in On-premise DNS Add all three private DNS zone domains Bypass private DNS zone domains (This step is required if you have internet proxy in your infrastructure. Now you are all set to deploy script generated in for onboarding Now you can see the onboarded machine in azure arc portalLots of spam, is there a way to report and filter them?
Is there any way to flag or report these spam posts? As some of you may be aware, I've seen them multiple times, and sometimes they disappear for a while, only to come back later. This makes it difficult for important topics to stay visible in the forums. Is there a way we can help by reporting them? Makes any difference?
Azure Arc Machine still showing in Security Recommendations after Deletion
I removed the extensions then removed the Machine from Azure Arc. Even deleted all of the folders associated with the agent. However, the machine still shows up in our Security Recommendations in Defender. The recommendation is for Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration). I guess something was missed during the delete process of the machine? How do I get this recommendation to stop showing. The machine is deleted. Thank you
Is Azure ARC billable for installing AMA agent on my onprem devices
Azure ARC needs to deployed on 25 onprem servers - Why because: to install AMA agent on onprem servers and collect logs via DCR - Is it free to use azure arc for above stated reason - Need a clarity on the pricing - I understand there is a price involved for log ingestion on sentinel - MSFT Pricing calculator not specific about this requirementAnnouncing General Availability of PIM Enabled Azure Lighthouse Delegations
I am excited to share today’s general availability announcement of PIM Enabled Azure Lighthouse Delegations. With Azure Lighthouse, service providers can deliver managed services using comprehensive and robust tooling built into the Azure platform. The addition of PIM enabled delegations takes Azure Lighthouse’s granular access to the next level, by assigning service providers the exact level of access needed, per resource, for the exact amount of time needed to complete a task. This has been a top ask from customers, and we’re thrilled to deliver this powerful capability to our customers! Learn more in the announcement here: Azure Lighthouse PIM Enabled Delegations - Microsoft Community Hub.
Error when trying to onboard Azure Arc in Windows Admin Center 2110.1
How is the state of the Azure Arc plugin, so the onboarding via WAC will be possible again? Since months it errors out with a weird message that a string is too long. Reproducible and also well-known across the community + topic specific MVPs. fyi Prasidh_Arora [WAC, Azure Monitor] - Onboarding fails with Log entry string is too long. · Issue #215 · MicrosoftDocs/Windows-Admin-Center-Ideas-and-Feedback · GitHub
