Edit

Share via


Connect hybrid machines to Azure from Automation Update Management

You can enable Azure Arc-enabled servers for one or more of your Windows or Linux virtual machines or physical servers hosted on-premises or other cloud environment that are managed with Azure Automation Update Management. This onboarding process automates the download and installation of the Connected Machine agent. To connect the machines to Azure Arc-enabled servers, a Microsoft Entra service principal is used instead of your privileged identity to interactively connect the machine. This service principal is created automatically as part of the onboarding process for these machines.

Before you get started, be sure to review the prerequisites and verify that your subscription and resources meet the requirements. For information about supported regions and other related considerations, see supported Azure regions.

If you don't have an Azure subscription, create a free account before you begin.

Automatic connection for SQL Server

When you connect a Windows or Linux server to Azure Arc that also has Microsoft SQL Server installed, the SQL Server instances are automatically connected to Azure Arc as well. SQL Server enabled by Azure Arc provides a detailed inventory and additional management capabilities for your SQL Server instances and databases. As part of the connection process, an extension is deployed to your Azure Arc-enabled server, and new roles are applied to your SQL Server and databases. If you don't want to automatically connect your SQL Servers to Azure Arc, you can opt out by adding a tag to the Windows or Linux server with the name ArcSQLServerExtensionDeployment and value Disabled when connecting it to Azure Arc.

For more information, see Manage automatic connection for SQL Server enabled by Azure Arc.

How it works

When the onboarding process is launched, an Active Directory service principal is created in the tenant.

To install and configure the Connected Machine agent on the target machine, a master runbook named Add-UMMachinesToArc runs in the Azure sandbox. Based on the operating system detected on the machine, the master runbook calls a child runbook named Add-UMMachinesToArcWindowsChild or Add-UMMachinesToArcLinuxChild that runs under the system Hybrid Runbook Worker role directly on the machine. Runbook job output is written to the job history, and you can view their status summary or drill into details of a specific runbook job in the Azure portal or using Azure PowerShell. Execution of runbooks in Azure Automation writes details in an activity log for the Automation account. For details of using the log, see Retrieve details from Activity log.

The final step establishes the connection to Azure Arc using the azcmagent command using the service principal to register the machine as a resource in Azure.

Prerequisites

This method requires that you are a member of the Automation Job Operator role or higher so you can create runbook jobs in the Automation account.

If you have enabled Azure Policy to manage runbook execution and enforce targeting of runbook execution against a Hybrid Runbook Worker group, this policy must be disabled. Otherwise, the runbook jobs that onboard the machine(s) to Arc-enabled servers will fail.

Add machines from the Azure portal

Perform the following steps to configure the hybrid machine with Arc-enabled servers. The server or machine must be powered on and online in order for the process to complete successfully.

  1. From your browser, go to the Azure portal.

  2. Navigate to the Machines - Azure Arc page, select Add/Create, and then select Add a machine from the drop-down menu.

  3. On the Add servers with Azure Arc page, select Add servers from the Add managed servers from Update Management tile.

  4. On the Resource details page, configure the following:

    1. Select the Subscription and Resource group where you want the server to be managed within Azure.
    2. In the Region drop-down list, select the Azure region to store the servers metadata.
    3. For Connectivity method:
      1. Choose either Public endpoint or Private endpoint. If you select Private endpoint, you can either select an existing private link scope or create a new one.
      2. If you want to use a Proxy server URL, enter the proxy server IP address or the name and port number that the machine will use in the format http://<proxyURL>:<proxyport>.
      3. If you selected Public endpoint and you want to use Azure Arc Gateway, select an existing Gateway resource or create a new one.
    4. Select Next.
  5. On the Servers page, select Add Servers, then select the Subscription and Automation account from the drop-down list that has the Update Management feature enabled and includes the machines you want to onboard to Azure Arc-enabled servers.

    After specifying the Automation account, the list below returns non-Azure machines managed by Update Management for that Automation account. Both Windows and Linux machines are listed and for each one, select add.

    You can review your selection by selecting Review selection. If you want to remove a machine, select remove from under the Action column.

    Once you confirm your selection, select Next.

  6. On the Tags page, specify one or more Name/Value pairs to support your standards. Select Next: Review + add.

  7. Review the summary information, and then select Add machines. If you still need to make changes, select Previous.

Verify the connection with Azure Arc

After the agent is installed and configured to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the server has successfully connected.

Screenshot showing a successful machine connection in the Azure portal.

Next steps