In my weblog put up contribution for this 12 months’s Azure Spring Clear, we’ll discover how Azure Arc-enabled servers and Azure Machine Configuration (previously generally known as Azure Coverage Visitor Configuration) simplify administration and guarantee compliance throughout your hybrid atmosphere.
Spring is right here as soon as once more! Joe Carlyle and Thomas Thornton are persevering with their custom by main Azure Spring Clear, a community-driven initiative targeted on selling well-managed Azure tenants.
You possibly can keep up to date by following the hashtag #AzureSpringClean on X for the most recent ideas. To dive deeper, go to https://www.azurespringclean.com to discover further weblog posts and movies providing finest practices, classes discovered, and recommendation on managing Azure.
However let’s now give attention to managing Azure Arc-enabled servers with Machine Configuration.
As a few of you’ll in all probability know, Machine Configuration in Azure is a characteristic that permits you to implement and handle the configuration of Azure digital machines (VMs). What’s even higher is that you would be able to now lengthen this to bodily machines or VMs working on-premises or in different public cloud environments utilizing Azure Arc.
With Machine Configuration, which is just a PowerShell Desired State Configuration-based compliance reporting and configuration software, now you can outline and implement particular settings on a person machine or at scale in your hybrid atmosphere. This allows you to handle and audit working system settings as code on these Arc-enabled machines, comparable to:
- Software presence (e.g., making certain required purposes are put in)
- Setting settings (e.g., configuring community and storage settings)
- OS configurations (e.g., imposing system settings like time zone configurations)
As well as, by making use of insurance policies by way of Machine Configuration to those machines, you can even:
- Implement configurations: Guarantee machines are configured in response to your safety, compliance, and operational requirements.
- Audit configurations: Confirm compliance with predefined settings.
- Constant safety: Keep uniform safety configurations throughout hybrid and multi-cloud environments.
Machine Configurations differ from coverage definitions. Machine Configuration leverages Azure Coverage to dynamically apply configurations to machines, or you possibly can manually assign configurations to machines as wanted.
Behind the scenes, this all works by way of a visitor task, which is an Azure useful resource that acts as a hyperlink between a machine, whether or not an Azure VM or an Azure Arc-enabled server, and a machine configuration.
The machine configuration itself accommodates all the required particulars in regards to the desired settings and insurance policies to be utilized to the machine, and these are saved in a .mof (Managed Object Format) file.
💡A .mof file, primarily based on the WMI schema, shops desired configurations for working methods or purposes on VMs or Azure Arc-enabled servers. These recordsdata are important for imposing settings, guidelines, and insurance policies, and are sometimes used with DSC to keep up compliance and the specified state throughout environments.
For instance, you may need a coverage that ensures all machines in scope have a selected configuration, such because the “AuditSecureProtocol” visitor task (coverage definition). The visitor task would hyperlink this coverage to the machines, making certain they’re in compliance with the outlined settings.
The visitor task useful resource sort is Microsoft.GuestConfiguration/guestConfigurationAssignments, and it makes use of the complianceStatus property to report the compliance standing.
⚠️ Machine Configuration insurance policies run with full entry to system settings or assets (Native System context on Home windows or root on Linux). Be sure that solely trusted accounts in your group have permission to assign Azure Insurance policies or Azure Visitor Assignments.
On this weblog put up, we’ll discover how one can obtain many of those duties utilizing Machine Configuration in your Azure Arc-enabled servers.
Desk of Contents
Azure conditions
- An Azure subscription, ideally a couple of for those who plan to observe the Cloud Adoption Framework (CAF) enterprise-scale structure. This features a connectivity and/or administration subscription, with at the least one ARC subscription (touchdown zone) for deploying your Arc-related assets.
- Not less than one machine, whether or not bodily or digital, working Home windows Server 2016 or later, a part of your hybrid atmosphere and already onboarded into Azure Arc.
Register the required useful resource supplier
To make use of Machine Configuration together with your Azure Arc-enabled servers, the “Microsoft.GuestConfiguration” useful resource supplier should be registered on the Azure subscription the place your machines are onboarded.
This registration occurs robotically whenever you assign a machine configuration coverage by way of the Azure Portal or in case your subscription is enrolled in Microsoft Defender for Cloud. Alternatively, you possibly can manually register it utilizing the Azure Portal, Azure PowerShell, or Azure CLI.
Should you’d wish to deploy this useful resource supplier utilizing an Azure PowerShell script, merely save the script beneath as a .ps1 file and run it by way of Home windows Terminal or Azure Cloud Shell, after specifying the right Azure subscription.
## -------------------------------------------------------------------------
## Variables
$providerNameSpace = "Microsoft.GuestConfiguration"
Set-PSBreakpoint -Variable currenttime -Mode Learn -Motion {$world:currenttime = Get-Date -Format "dddd MM/dd/yyyy HH:mm"} | Out-Null
$foregroundColor1 = "Inexperienced"
$foregroundColor2 = "Yellow"
$foregroundColor3 = "Purple"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "
## --------------------------------------------------------------------------
## Register the required Azure useful resource supplier (Microsoft.GuestConfiguration) within the present subscription context, if not but registered
Register-AzResourceProvider -ProviderNamespace $providerNameSpace | Out-Null
Write-Host ($writeEmptyLine + "# All required useful resource suppliers for an Azure Attestation supplier are presently registering or have already registered" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine
## -------------------------------------------------------------------------
Use the built-in Machine Configuration insurance policies
First, to make use of machine configuration packages that apply configurations to Azure Arc-enabled Home windows servers, the Azure Related Machine agent model 1.10.0 or later is required. You’ll want to examine the agent model in your servers domestically or by way of the Azure Portal.
Utilizing the built-in Machine Configurations is sort of easy, because the audit coverage definitions obtainable for machine configuration embody the Microsoft.HybridCompute/machines useful resource sort.
Because of this any of your machines onboarded to Azure Arc-enabled servers that fall throughout the scope of the coverage task are robotically included.
At the moment, there are three built-in Machine Configurations (Coverage definitions) which are robotically utilized in mixture together with your Azure Arc-enabled Home windows Servers, all of that are in AuditIfNotExists mode:
- AuditSecureProtocol: Home windows machines ought to be configured to make use of safe communication protocols (.mof file)
- AzureWindowsBaseline: Home windows machines ought to meet necessities of the Azure compute safety baseline (.mof file)
- WindowsDefenderExploitGuard: Home windows Defender Exploit Guard ought to be enabled in your machines (.mof file)
To examine the compliance of any of your Arc-enabled servers towards considered one of these built-in Machine Configurations, merely go to the Azure Arc web page by typing “Arc” within the International Search bar and choosing Azure Arc.
Then, go to Machines and choose the server you need to examine compliance for. After that, scroll right down to the Operations part and click on on Machine Configuration.
On the Machine Configuration web page, then merely click on on the Machine Configuration for which you need to examine the machine’s compliance.
Good to know is that if one thing isn’t working as anticipated, you possibly can examine the shopper log recordsdata on the native server.
The machine configuration writes the log recordsdata to the next location: C:ProgramDataGuestConfigarc_policy_logs
View machine configuration task particulars at scale
You possibly can simply view the visitor configuration compliance states for every machine individually by way of the Azure Arc web page, as proven within the earlier part.
Nonetheless, to see all visitor configuration assignments throughout your tenant directly, open the Visitor Assignments web page from the Azure portal. To take action within the world search bar, sort “visitor” to open the Visitor Assignments web page.
To view detailed compliance info, click on on every task utilizing the hyperlink within the Title column.
Disable Machine Configuration
For Tier 0 servers, comparable to Area Controllers or Certificates Servers, it’s essential to implement robust safety measures, particularly when they’re Azure Arc-enabled.
As a finest follow, it’s endorsed to use native agent safety controls to lock down the Azure Related Machine agent, making certain that solely native server directors can modify its configuration.
One key suggestion is to disable Machine Configuration to forestall the usage of customized Visitor Configuration insurance policies that would alter the agent configuration.
💡 It is usually advisable to disable distant entry capabilities and both set an extension allowlist or fully disable the extension supervisor on these servers.
To do that, run the next command domestically, together with the opposite instructions, to disable distant entry and set your most well-liked extension allowlist on any of those servers:
azcmagent config set incomingconnections.enabled false
azcmagent config set guestconfiguration.enabled false
azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Home windows"
As you possibly can see, it will disable the “Visitor Configuration Arc Service” in your server, which means the specified state of this machine can now not be monitored.
If these options that depend on an extension have been already put in earlier than you modified the allowlist, you have to to manually take away the extensions from the server. This may be finished in a number of methods, comparable to utilizing the Azure Portal.
💡 Disabling particular capabilities, comparable to Machine Configuration, can be helpful if you find yourself connecting servers to Azure with Azure Arc for a single function, comparable to accumulating occasion logs, with out permitting different administration options for use on the server.
Conclusion
By leveraging the capabilities of Azure Arc and Machine Configuration, organizations can effectively implement and handle the configuration of Azure Arc-enabled VMs inside their hybrid environments, making certain compliance and safety throughout their total infrastructure. I hope the steps defined on this weblog put up allow you to hold your Arc deployments safe and well-managed.
Earlier than concluding, I need to specific my gratitude for being a part of this on-line occasion. I hope you discover worth within the different weblog posts and movies as effectively. A particular due to Thomas Thornton and Joe Carlyle for organizing this occasion!
When you’ve got any questions or options concerning this weblog put up, be happy to achieve out to me by way of my X deal with (@wmatthyssen) or go away a remark beneath. I’m pleased to assist!
Glad studying 📖 and managing 💻!
