Microsoft is trying to make good on its commitment to managing not only assets in Azure cloud but on customer premises and in other providers’ clouds.
Azure Arc for servers, a centralized management tool that provides visibility into Azure data services, Kubernetes clusters, and servers running Windows or Linux, has been generally available since September, helping fulfill Microsoft’s stated intent to support enterprise hybrid-cloud architectures.
By extending Azure Resource Manager (ARM), Azure Arc can help streamline the management of technical resources on premises and in other clouds. ARM is a foundational management service used by a host of Azure tools to provide a consistent experience across a variety of resources including virtual machines, web applications, or data stores. Introduced in 2014, ARM enables a mature set of capabilities for Arc right out of the box.
In addition to features that are part of the currently available Azure Arc for Windows servers, other features—Azure Arc for Linux servers, Azure Arc for Kubernetes, and Azure Arc-enabled data services—are available in preview.
Here is a closer look at Azure Arc for servers.
Monitor, inventory, update
Azure Arc for servers brings several management and governance tools and capabilities to Windows Servers, regardless of if they are hosted on physical or virtual machines within a corporate datacenter or in any cloud environment. While none of these features is particularly earth shattering on its own, having these capabilities rolled into Azure can enable more efficient management by reducing the number of tools needed to handle the same workload.
Managing updates for Windows Servers is something that has never been fully solved. Windows Server Update Services (WSUS) is of course still a thing, as is Microsoft System Center, but both have a level of complexity and overhead requirements that make them a poor fit for small, highly distributed, or multitenant environments. There are also numerous third-party platforms and services for handling system updates, but in many cases they bring more complexity and cost than many IT shops want to deal with.
Update management in Azure Arc for servers provides a single-pane view into update compliance, including update type and the machines affected. In addition to the reporting and oversight capabilities, remediation steps can be taken by scheduling update deployments to individual servers, managed server groups—even groups that are defined by metadata tags. Update deployments can even be configured on a recurring basis from the update-management panel.
Azure Arc’s Inventory feature gives an instant view into which servers are being monitored, what software is installed on these systems, what services are installed and their current state, and even check for the existence of specific files, folders, and registry keys. Hand-in-hand with Inventory is Change Management, which monitors the same data points for changes and places them into a timeline view. Change Management tracks multiple aspects of services including their current state, startup type, and executable path. Likewise, tracked software changes list modifications to the name, version, publisher, and type of the software change.
Azure Monitor can be leveraged through Azure Arc for servers to monitor and alert on system performance or view active network connections. Performance KPIs can even be pinned to an Azure Dashboard in order to monitor key infrastructure more closely.
Perhaps the most powerful component of Azure Arc is Policies. Azure Policy can be leveraged against servers in order to verify compliance with a number of policies, including predefined policies based on industry compliance checklists like HIPAA, NIST, SWIFT, and PCI. Each of these policies can be employed by populating a list of parameters in order to customize them to your environment: things like allowed members of the administrators group, minimum software versions (such as Java, PHP, or Python), and minimum TLS version.
Policies can also be configured for automatic remediation, though remediation tasks are limited to 500 resources. Policies can be created from scratch or duplicated for additional customization. Policies can also be grouped into Initiatives, which are intended to group multiple policies which contribute toward a goal, such as compliance with a particular standard.
Enabling Azure Arc for servers is a multi-step process, the first of which is selecting a supported Azure region, and Microsoft is working toward making support available in more regions. As with any Azure service the ideal is to select a region within the same geographic area as your other corporate resources.
Before you’ll be able to manage servers through Azure Arc, you’ll need to enable two existing Azure services that have been around for some time: Azure Automation and Azure Log Analytics. Azure Automation provides the means for scheduled jobs such as gathering data from monitored servers, applying updates, etc. Azure Log Analytics likewise takes the data from your servers and provides visibility into key business needs like update management, system inventory, change tracking, and policy evaluation.
Once these services are enabled you can connect your servers to them using the appropriate agents. Instructions for deploying the agents, either to individual servers or through automated means, are available within the respective Azure services. Once the agents are installed you can enable the services for your servers and begin collecting data. You can also configure both Azure Automation and Azure Analytics to automatically enable any new servers added to your deployment.
Pricing
The Azure Arc control plane is provided at no cost, and includes Update Management, automation, and analytics with Azure resource graph, which lets users dig into telemetry coming from Azure or Arc resources. Other features have some inherent costs of their own. Policies are free when used against Azure resources, but when leveraged against Azure Arc resources there’s a $6 per month charge for each server for an unlimited number of policies. Change Management features are included as part of the Policy feature set.
This article originally appeared on NetworkWorld.