Microsoft extends Azure management to the private cloud with Azure Arc

Mar 6, 2024   |  

Manasi Choudhari, Heathcliff Anderson, Jane Yang, Dana Baxter are members of the team implementing Azure Arc inside Microsoft, they are on a Microsoft Teams call.
The team implementing Azure Arc internally at Microsoft is Manasi Choudhari (top left), Heathcliff Anderson (top right), Jian Yan (bottom left), and Dana Baxter (bottom right). (Photo by Jim Adams | Inside Track)

Microsoft Digital technical storiesWhen Microsoft began adopting cloud server technology internally in 2014, it operated some 60,000 on-premises servers and 2,000 line-of-business applications. These assets, normally managed by the team or individual that purchased or built them, were vital to company operations.

Now Microsoft Digital is running the majority of the company’s servers, internal apps, and business processes on Microsoft Azure in the cloud.

That move significantly reduced the volume of servers needed on site and made it easier to track the costs associated with running each service. It also helped IT administrators and developers apply standard risk-management policies and other best practices for network and data security.

But in some scenarios, Microsoft teams still use physical servers to fulfill specific needs.

Why is on-premises hardware still needed?

“Sometimes it’s the kind of app a team is using,” says Dana Baxter, a principal service engineer in Microsoft Digital’s Manageability division. “They might not have the infrastructure to move it to the cloud. There might be dependencies on systems that are not yet migrated.”

If a service is not going to be used for the long term, it is often not worth the effort of decommissioning, redesigning, and redeploying it. A handful of Microsoft groups also maintain on-premises servers because they require extremely high-speed direct internet connections.

At Microsoft, the Manageability Platforms team uses Microsoft System Center Configuration Manager (SCCM) for on-premises server management. In alignment with earlier IT design principles, SCCM covers only Windows servers, specifically those joined to a domain and assigned to the correct organizational unit (OU).

As Microsoft Digital began using more Infrastructure as a Service (IaaS) features native to Azure, a gap grew between the tools used to manage on-premises infrastructure and those used to manage IaaS. With some 3,000 on-premises servers still running within the Microsoft network infrastructure as of early 2019, Baxter saw a significant opportunity to improve the security, cost accounting, and manageability of these computing assets.

Microsoft customers face similar issues.

“Sometimes it doesn’t make sense to lift and shift everything immediately,” says Jian Yan, principal program manager for Azure Arc for servers. “If the hardware is paid for and it’s not at end-of-life, then it’s an investment they’ve already made.”

Baxter wanted Microsoft IT administrators to be able to manage the servers and virtual machines (VMs) with the same ease as an Azure dashboard. Could there be a way to connect these assets to Azure?

“About a year ago, the manageability team started working with the Azure product group on a vision for how we could replicate the functionality of SCCM using Azure features,” Baxter says.

The cross-group team was especially interested in supporting software deployment and collecting data for configuration settings across the organization. Another goal was to improve anti-malware measures for Microsoft Digital’s entire hybrid environment with a unified set of Azure features.

The team immediately realized many issues could be prevented or overcome by including on-premises servers in the Azure management tools. They decided to develop Azure solutions to cover the multi-OS platform and hybrid environments rather than expand usage of SCCM capabilities.

Enter Azure Arc, an extension of Azure Resources Manager, now in public preview. The service brings Azure features that are typically available only in the public cloud to private and on-premises workspaces, including those that are using non-Microsoft cloud services. It contains Azure Arc for server and Kubernetes management, and Azure data services.

With Azure Arc, IT administrators can use the Azure Control Plane to collect and view system data from any environment (on-premises, Azure) or platform (Windows, Linux). When the assets are visible to Azure, it is much easier to apply standard security policies and gather relevant information from each with automated cloud services.

Who is going to use Azure Arc on their servers?

“There are many use cases for Azure Arc. It gives us an opportunity to streamline and reduce the tools we use to manage infrastructure,” Baxter says. “For example, at the Azure Control Plane level, we now have a framework enabling enterprise IT security and governance admins to apply Azure policies at scale.”

For customers, Azure Arc for servers could help IT manage assets across more than one cloud provider. The service enables administration of non-Azure cloud servers alongside Azure assets.

“Users are going to different clouds to acquire their data,” Yan says. “It puts IT in a very difficult position. They need a way to consolidate all these different pieces and standardize across the organization.”

[Learn more about Microsoft’s cloud centric transformationfind out how the company adopted Azure monitor, and discover what principles to keep in mind when implementing modern engineering.]

Reports from early adopters

Microsoft Digital is now in the process of deploying Azure Arc for servers at Microsoft, beginning with the Managed Workspaces team. The rollout has just started, with roughly 10 percent of formerly isolated Microsoft servers and VMs becoming visible to Azure within the past few weeks.

Now, all Microsoft teams can implement enterprise-wide governance programs like management groups and policies that protect the entire company.

The use of Azure services is strategically important for both Azure and Microsoft.

“Azure Arc, Guest Configuration policy, Azure Policy, and Management Groups together allow seamless governance and management of on-premises and multi-cloud resources with a single control plane,” Baxter says.

Heathcliff Anderson, a service engineer in the Managed Workspaces group, was one of the first to try out the tool.

“We started slowly by rolling out the agent on machines one by one. Azure has a nice prescriptive guide on the website on how to do that installation,” Anderson says.

The team soon discovered that there was a point in the process of registering with Azure that required an IT admin to visit a website and manually enter a code. By using the Service Principal Name feature in Azure, Anderson was able to quickly develop a PowerShell script to complete this user action with automation.

“After testing the script on one or two machines, we launched the job through SCCM, running the script against about 100 servers at first. It took about 10 minutes,” Anderson says.

Today, the Managed Workspaces team has activated Azure Arc on more than 300 virtual and physical production servers and is running it with no issues. The servers now automatically receive and implement Azure Policies from the central governance teams in alignment with Azure IaaS systems.

Manasi Choudhari, a program manager in the Managed Workspaces group, is pleased with the benefits that the extension has delivered so far. The next step is to reduce the volume of manual IT administration for the Managed Workspace team.

“We hope to use the Azure extension for automation around deploying scripts that are needed for on-prem servers,” Choudhari says “It is very early, but these are very good features for us to explore.”

Other Microsoft teams also see the value of Azure Arc for servers.

“Tracking costs associated with on-prem servers has always been a difficult thing to do,” says Jeromy Statia, a principal software engineer responsible for securing the Windows Build pipeline. “We want to understand our resources and how they contribute to our services cost. An Azure subscription owner is very clear and defined. We know the cost of a service and who to go to when the server is not acting appropriately.”

Security policies are also easier to enforce with Azure Arc.

“In Azure, there’s this managed service identity that makes an app developer’s security management very easy,” Statia says. “It solves some of the worst practices and encourages best practices instead.”

The Managed Workspace team was able to provide specific product development input based on their experience so far with Azure Arc.

“The problem we’ve presented back to the product group,” Baxter says, “is right now, everyone has to download the package and connect it manually. How do we build this into the product so it’s set by default? How do we build the VM so it already has Arc Agent on it? We are asking the product team to make the agent more integrated.”

What’s next for Azure Arc for servers?

Having completed their initial rollout, the Managed Workspace team is anticipating the release of new Azure Arc capabilities.

“As extensions become available, we’ll run those and pilot those with the various groups,” Anderson says. “If we have any kind of configuration management policy changes that go out, now all of our security policies can be managed from Azure.”

Statia is especially looking forward to using Azure to support certificate auto-renewal. An Azure Key Vault Certificate Deployment extension (currently in Private Preview) keeps the certificate on any machine up to date.

“The reason I latched onto Arc Agent early was what I call the ‘bootstrap credential problem,’” Statia says. “Interacting with Azure always requires a pre-existing certificate. If you don’t already have a certificate, you need another method to get it.”

This could create a problem for users and require IT administrators to manually manage the certificates.

“With Azure,” Statia says, “I will no longer have to manage that credential for an on-premises server. We can use all the value-add of Azure in a standards-based way—soon, without having to worry about storing certificates with personal information exchange (PFX) files, the password that is managing PFX, or the deployment of the PFX package.”

In the future, the Azure product team plans to develop further inventory functionality for Azure Arc.

“The Manageability Platforms teams at Microsoft is creating an Azure-based Inventory solution, co-developed with the Azure product group, to replace our SCCM infrastructure,” Baxter says. “This will give us greater coverage and increase the breadth of data points we are able to collect.”

But this is just the beginning for Azure Arc.

“This is really an early stage of our journey,” Baxter says. “We are looking at expanding Azure Arc capabilities to leverage Azure Policy more widely.”

The team is also starting to support system configuration data collection across the entire Microsoft Digital environment for servers.

“The focus right now is around creating the foundation,” Baxter says. “We want to manage all our servers from Azure, so we can use the same tools for enterprise security and governance programs regardless of the asset’s location or operating system.”

Discover more about Azure Arc from the Microsoft Azure product group, including about About Azure Arc, Azure Arc for servers, and Azure’s Cloud Adoption Framework.

Related links

Tags: