Forum Widgets
Latest Discussions
Azure Arc, on-prem servers, and MDE
I've onboarded a handful of on-prem server into Azure Arc and I would like to rollout the MDE extension. Do I have to enable MDE on the resource group or subscription before I can install it? I don't see it listed as an available extension when I go here: Azure Arc | Machines > server01 | Extensions > Install extensionPrivate Link/Endpoint and Run Command not working
Hi, I have setup a private endpoint and it seems to be working. Both existing and new servers are added and reporting as expected over the private endpoint. But I have issues with the RunCommand function, using PowerShell or AZ CLI. When I run a script on an server that existing before I added the private end point, the run command works as expected. But on newly added servers or servers where I reinstall the Arc Agent (testing), the run command just tries and tries and ends up with a timeout. Nothing happens on the server. Command plug isn't installed etc. In PowerShell, I use Get-AzConnectedMachine to build an object with all machine details returned. This is then parsed to New-AzConnectedMachineRunCommand, to ensure it (hopefully) knows about the private link scope etc. Conditional forwarders for his.arc.azure.com, guestconfiguration.azure.com and kubernetesconfiguration.azure.com has been set up. All FQDNs in "DNS configuration" found in the Private Endpoint Connections for the link also resolves to the expected internal IP. Any suggestions to what I'm missing or should look at? Servers (lab) currently have full internet access, so no blockers there. Thanks, -Heine
Azure update Manager - Schedule problem
Hi All I have two Maintenance schedules setup in Azure update manager for patching servers, one runs on the 4th Tuesday of the month and the 2nd runs 4th Thursday of the month. Both contain different servers. The problem I have, the Thursday schedule didn't run last night and I cant work out why. My Tuesday schedule ran fine. Here is my schedule maintenance window settings I have the following updates included. Can anyone help, I just can't work out why its didn't run last night.
LAB: Azure Arc with Private Endpoint
What is Azure Arc? Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud. With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape. This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure. What is Azure Private Endpoint? Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. By using a private IP address from your virtual network, the private endpoint brings the service into your virtual network, ensuring that traffic between your virtual network and the service remains private. This setup eliminates exposure from the public internet, enhancing security. Private endpoints can be used with various Azure services, such as Azure Storage, Azure SQL Database, and Azure Cosmos DB. They provide secure connectivity between clients on your virtual network and the service, using the same connection strings and authorization mechanisms as public endpoint. What are the benefits of configuring private link for your arc machines? Enabling Azure Arc for your machines involves several network and system requirements. Organizations are sometimes concerned about allowing certain public endpoints through their firewall and proxy. In this context, Private Endpoints can be used to ensure that some connections to Azure remain within the Microsoft backbone network. While this service does not eliminate the need for internet connectivity entirely, you will still need to allow public access for Microsoft Entra ID and Azure Resource Manager servers. However, this method significantly reduces the challenge of IP/FQDN whitelisting for internet access. When you create private endpoints in a virtual network for Azure Arc, it will create a resource with Azure Hybrid Compute as the target. Additionally, it will create several private DNS zones and assign them to the private endpoint. The private endpoint will have IPs assigned from the specified virtual network address range. See the screenshot below. These IPs are now directly linked to Azure Arc services, enabling private connectivity through Azure LAB Architectural Diagram LAB Pre-requisites An On-premises machine. (Internet traffic can be directed firewall or proxy for security) On-premises DNS An Azure Subscription VPN/Express-route Connection between On-premises and Azure Infrastructure Understand the Limitations and features The components that will be created as part of LAB A private endpoint which has Hybrid compute as source point Private DNS zones for Azure Arc services A private DNS resolver in Azure. Azure DNS doesnt accesspt dns queries coming from non-azure sources. Hence you need to configure azure private dns zone . You will get a private IP while creating inbound enpoint for resolver. DNS Forwarder need to be created in on-premise DNS to private IP of Azure private DNS resolver's inbound IP Powershell script to onboard machine Azure arc machine : Will be created once on premise machine gets connected to azure arc. Traffic flow There are three kind of traffic flow is involved here. DNS flow: To resolve the domain names of private endpoints Private endpoint flow: Actual traffic to Azure arc services Internet flow: Traffic to Microsoft Entra ID and Azure Resource manager control plane Private endpoint and private DNS Flow Let's suppose the Azure Arc agent initiates traffic to one of the Azure Arc services FQDNs, such as gbl.his.arc.azure.com. On-premises machines need to resolve the FQDN to an IP address, so they send a DNS request to the on-premises DNS server. The DNS forwarder is configured to send *.gbl.his.arc.azure.com DNS queries to the Private DNS resolver configured in Azure. The Private DNS resolver receives the DNS query and resolves it, as these domains are already linked to the virtual network where the resolver resides. Once the on-premises DNS server receives the IP resolution from the Azure DNS resolver, it sends it back to the on-premises machine. Now that the on-premises machine has the IP (private IP), it sends the actual traffic to the IP of the private endpoint. The private endpoint receives the traffic, and since this interface is directly linked to the Azure Arc services (the intended destination), the connectivity is successfully established. Steps: Generate Onboarding script. Private endpoint can be created while generating the script itself. Go to Azure Arc-->Machines-->Create You can select option which best suited for you. I am selecting Add multiple servers. Provide Resource Group,Region,OS details. Create Private endpoint using option provided Provide Virtual Network and subnet for private endpoint Provide or create new service principal. Note secret of service principal Goto Download and run script session. You can copy script and run it directly or you can download script and run it. Please do not forget to update service principal secret in script. You can verify the resources created as part of Private endpoint created There will be three private DNS zones created A private endpoint resource will be created with hybrid compute as target resource Create a private DNS resolver and inbound endpoint in it. Provide necessary details. Add inbound endpoint and click create Note the private IP of inbound endpoint, which is needed to specify DNS forwarder in on-premise Configure DNS forwarder in On-premise DNS Add all three private DNS zone domains Bypass private DNS zone domains (This step is required if you have internet proxy in your infrastructure. Now you are all set to deploy script generated in for onboarding Now you can see the onboarded machine in azure arc portalLots of spam, is there a way to report and filter them?
Is there any way to flag or report these spam posts? As some of you may be aware, I've seen them multiple times, and sometimes they disappear for a while, only to come back later. This makes it difficult for important topics to stay visible in the forums. Is there a way we can help by reporting them? Makes any difference?Register now for the Migrate to Innovate Summit
Join the summit on March 11, presented in partnership with Intel. Stay agile, innovate for the future, and maintain a competitive edge by accelerating your cloud migration and modernization journey. Microsoft thought leaders will discuss the latest news and trends, showcase real-world case studies, and share how Azure can help you fully embrace AI. Join us to: Maximize business value and build the foundation for successful innovation by leveraging the latest Azure and Intel capabilities for your workloads. Dive into case studies and real-world examples showcasing how organizations have successfully transformed their business and how you can be next by migrating and modernizing on Azure. Make sure your cloud migration and modernization journey is using the best practices and strategies featured in product demonstrations. Register now > Migrate to Innovate Summit Tuesday, March 11, 2025 9:00 AM–11:30 AM Pacific Time (UTC-7)LAB: Azure Arc Enabled Kubernetes
Below are the steps and commands you can use to deploy Kubernetes and connect it to azure arc. My test machine: Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1021-azure x86_64) Kubernetes Distribution: Minikube Note: You need to follow different installation procedure according to the OS and processor architecture of your test system. The installation link provided in each step. Install Docker sudo apt update sudo apt upgrade #Install Docker #Link for Docker installation sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker -v Install Kubectl #Install Kubectl #link for kubectl curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" kubectl version --client Install Minikube #Install Minikube # Link for Minikube installation curl -LO https://github.com/kubernetes/minikube/releases/latest/download/minikube-linux-amd64 sudo install minikube-linux-amd64 /usr/local/bin/minikube && rm minikube-linux-amd64 sudo usermod -aG docker $USER minikube start --driver=docker Connect to azure arc #Connect to azure arc az connectedk8s connect --name k8clust3 --resource-group myrd --location swedencentral kubectl get deployments,pods -n azure-arcAzure Arc Patching
Working on getting boxes onboarded with Azure Arc since we are mostly cloud based, but still have a few boxes left on prem. In my lab I am able to enroll and setup patching via Azure without much issue. Via the console it reports stuff running, etc however when checking on the box I dont see the patches via update history or wmic qfe list. But when I check the rev, I see the OS is current (I installed from an ISO that was 12 months old) Seems like the data is out of sync or just missing locally. Other than Azure Arc's log, is there anyway to validate its working correctly? sorry, just paranoid and want to make sure its solid...LAB: Onboarding On-premises Machine to Azure Arc by using Proxy as Connectivity Method
What is Azure Arc? Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud. With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape. This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure. LAB Architecture Lab pre-requisites: Set up and on-premises environment with an VM and Enterprise Proxy. An Azure subscription where we can on board machine. Understand the system, network pre-requisite. Plan Deployment Please note the hostname as this will show in azure arc portal once you on board machine into azure arc. Also, you can verify whether proxy is configured using command netsh winhttp show proxy Note: You don't need to use proxy connectivity option if your internet traffic is already routing via proxy in the network level. You can use this option if you need your agent to communicate via a different proxy which not already configured at network level. Steps to deploy: Generate Script to on-board on-premises machine: Go to Azure Arc-->Machines and Click on Create. Select an option best suited for you. I am using Add multiple servers Option Fill the details, provide your proxy sever URL. Provide service principal already have or create new one. Provide tags if you need. Go to download and run script option. Either you can download or copy the script and directly and run it in your machine. Update Service Principal secret inside script then the script is ready to use. Run the script in on-premises machine Go to on-premises machine PowerShell and run script. The script will install the Azure Arc agent and connect the system with Arc control Plane. Not necessarily these steps need to do by PowerShell. You are having multiple way to connect machine to azure arc. Eg: CLI, API calls etc. Please go through Azure arc documentation to know more. The following action will take place once you run the script. Azure Connected Machine Agent Installation Setting proxy configuration Connect machine to Azure Now your machine is onboarded, and you can enjoy all the services in azure. In nutshell you can treat your on-premises machine as azure vm and apply all the related series.
