Azure Again to Faculty is an incredible neighborhood initiative created by by Dwayne Natwick and Derek Smith. Identical to in earlier years, all through September, neighborhood members from all over the world will share a mixture of video content material, reside classes, and weblog posts on a wide range of Azure matters. This initiative embodies the true spirit of neighborhood: sharing data, serving to others study, and constructing new abilities.
You will discover all of the movies and weblog posts at https://azurebacktoschool.github.io/.
Keep up to date by following the hashtag #AzureBacktoSchool on X or LinkedIn.
In my weblog publish, I’ll dive into how Azure Automanage simplifies administration by making it simpler to onboard Azure administration providers and streamline the operation of your Azure Arc-enabled servers.
You’ll discover ways to activate and use this highly effective service to reinforce the administration and operation of your Azure Arc-enabled servers, resulting in smoother and extra environment friendly server administration.
Desk of Contents
What’s Azure Automanage?
As many people know, Azure Arc expands Azure’s administration capabilities to incorporate on-premises, multi-cloud, and edge environments. It lets you handle servers, Kubernetes clusters, and functions throughout completely different places by way of a single pane of glass.
Nonetheless, configuring these administration providers on Arc-enabled servers may be complicated for IT directors, particularly in smaller environments the place they oversee extra than simply digital machines (VMs).
That is the place Azure Automanage steps in. For Arc-enabled servers, Azure Automanage for Machines Finest Practices streamlines the administration of your Arc-enabled Home windows and Linux servers by automating duties like configuration, monitoring, and updates, making certain your sources adjust to advisable Azure practices.
Azure Automanage affords providers like Machine Insights Monitoring, Replace Administration (V2), and Machine Configuration. It additionally mechanically provisions the mandatory Azure sources, comparable to a Log Analytics workspace (or lets you level to an present one), to help these providers.
To configure Automanage with Azure Arc-enabled servers, you possibly can select one of many prebuilt Azure Automanage configuration profiles, like “Azure Finest Practices: Manufacturing” or “Azure Finest Practices: Dev/Check.”
These profiles include predefined settings that handle varied points of a digital machine’s lifecycle. Nonetheless, bear in mind that not all providers and options in these profiles are totally suitable with Arc-enabled servers.
Alternatively, you possibly can create your personal {custom} configuration profile, which is my most popular method.
You will discover an in depth record of the collaborating providers, together with their descriptions and configuration profiles, by way of this Microsoft Be taught hyperlink.
As with all Azure sources, it’s necessary to maintain the pricing in thoughts. Whereas Azure Automanage is included without spending a dime together with your Azure subscription, the particular person providers onboarded by way of Azure Automanage do incur separate prices. Subsequently, you must evaluation the pricing of every service you allow by way of Automanage to calculate an estimated whole value.
Azure stipulations
- An Azure subscription, ideally multiple for those who plan to comply with the Cloud Adoption Framework (CAF) enterprise-scale structure. This features a connectivity and/or administration subscription, with at the very least one ARC subscription (touchdown zone) for deploying your Arc-related sources.
- The “Microsoft.Automanage” useful resource supplier ought to already be registered on this subscription.
- An Azure Administrator account with the suitable RBAC roles, comparable to Proprietor or Contributor on the subscription or useful resource group stage, is required to create and assign Automanage profiles.
- Some machines, whether or not bodily or digital, operating at the very least Home windows Server 2012 R2 or any Arc supported Linux distribution inside your hybrid setting and have already been onboarded into Azure Arc.
Set up Automanage Preview options
With the upcoming retirement of the Log Analytics Agent on August 31, 2024, sure options and integrations of Automanage will now not perform. Subsequently, it’s advisable to allow preview options, comparable to Automanage Alerts Enabled and Automanage Azure Monitoring Agent Help, for any subscriptions utilizing Automanage.
To put in preview options for a particular subscription, register to the Azure Portal together with your credentials. Use the worldwide search bar, or one other technique throughout the portal, to seek out and choose the subscription.
On the Subscription web page, click on Preview options underneath the Settings part.
Subsequent, sort “automanage” within the search bar and set the “State” to Not Registered to show all preview options associated to Azure Automanage which can be presently not registered for that subscription. Choose the options you need to register and click on Register.
As soon as a preview function is registered in your subscription, you’ll see considered one of two states: Registered or Pending.
- If the preview function doesn’t require approval, its state can be Registered. Remember that entry to the options isn’t immediate; it could take as much as 12 hours for the adjustments to take impact.
- If it does require approval, the state can be Pending. On this case, you’ll have to request approval from the Azure service providing the function, usually by submitting a Azure help ticket*. After your registration is accepted, the state of the preview function will change to Registered.
*Some providers might require completely different strategies, comparable to e mail, to acquire approval for pending requests. You’ll want to examine the bulletins concerning the preview function for particular directions on the right way to acquire entry.
Create a {custom} RBAC position for Automanage
If essential, or for those who want the next stage of safety and management in your setting following the precept of least privilege, you possibly can create a {custom} position for extra exact administration.
For instance, if you wish to restrict permissions to managing Automanage configuration profiles with out impacting different sources, you possibly can outline a {custom} RBAC position with permissions particularly tailor-made to:
- Microsoft.Automanage/configurationProfileAssignments: Permission to create, replace or delete Configuration Profile Assignments.
- Microsoft.Automanage/configurationProfileAssignments/stories: Permission to learn, create or replace any Configuration Profile Project Reviews.
- Microsoft.Automanage/configurationProfileAssignments/effectiveProfiles: Permission to learn any Project’s Efficient Configuration Profile End result.
- Microsoft.Automanage/configurationProfiles: Persmission to delete, learn, create or replace any Automanage ConfigurationProfiles.
- Microsoft.Automanage/configurationProfiles/variations: Permission to delete, learn, create or replace any Automanage ConfigurationProfiles Variations
To create a {custom} RBAC position and assign it to a safety group, go to your subscription, choose Entry management (IAM), and underneath the Add tab, select Add {custom} position.
Subsequent, specify a {custom} position title and description, then click on Subsequent. After that, choose the Microsoft.Automanage permissions you need to embody within the {custom} position, add them by clicking the Add button, after which click on Subsequent.
On the Assignable scopes web page, you possibly can both click on Subsequent or add an extra subscription if wanted.
On the JSON web page, you possibly can both obtain the JSON file or edit it as wanted. Whenever you’re prepared, merely click on Subsequent to proceed.
Then click on Create to finalize your {custom} position. As soon as the position is efficiently created, click on OK to shut the notification.
Now you possibly can assign this new position to a particular safety group to use its permissions to that group.
Create a {custom} configuration profile to your Azure-Arc enabled servers
To create a {custom} configuration profile, sort “auto” within the world search bar and choose Automanage. On the Automanage web page, select Configuration profiles.
Click on Create to arrange a {custom} profile.
First, specify a title (following your Azure naming conference), choose the subscription, select the useful resource group (ideally the administration useful resource group within the subscription), and set the area to match the place your Azure Arc servers are configured to your {custom} profile.
Then, choose the providers you need to allow or disable. As talked about earlier, needless to say not all providers, like Azure Backup, are suitable with Azure Arc.
At the moment, because of current adjustments, seemingly associated to the retirement of the Log Analytics agent and a few Azure Automation options, creating a brand new configuration profile ends in the next error: **”The operation was not allowed as a result of the subscription shouldn’t be in a state to help it. Subscription state: -1.”
As soon as this difficulty is resolved, you’ll seemingly be capable of create a {custom} configuration profile by way of the Azure Portal, or through the use of Bicep or ARM templates.
**I’ve additionally raised a brand new Dialogue on the Azure Tech Group concerning this difficulty: https://techcommunity.microsoft.com/t5/azure-infrastructure/enabling-azure-automanage-or-creating-a-custom-configuration/m-p/4251861/spotlight/true#M268
Configure and use Automanage with Azure Arc-enabled servers
To configure Azure Automanage for a particular group of Azure Arc-enabled servers, sort “auto” within the world search bar and choose Automanage. Then, on the Automanage web page, select Handle.
Subsequent, choose the suitable subscription and click on Allow on present machine.
Then, choose the {custom} profile you created earlier (as soon as this function is functioning once more) and click on Subsequent: Machines >.
On the Machines web page, set the useful resource sort to Server – Azure Arc to filter for Azure Arc-enabled servers. Then, choose the precise Arc-enabled servers you need to handle utilizing your {custom} Azure Automanage profile.
On the final web page, click on Create to allow Automanage on the chosen servers.
At the moment, making an attempt to allow Automanage on the chosen Azure Arc-enabled servers will end in the identical error encountered when configuring a {custom} profile: “The operation was not allowed as a result of the subscription shouldn’t be in a state to help it. Subscription state: -1.”
This error signifies that the Azure subscription is in an invalid or unsupported state for the operation, seemingly as a result of retirement of the Log Analytics agent and the related sources utilized in a few of the providers out there inside Azure Automanage.
Conclusion
That wraps up this weblog publish. I’m thrilled to be a part of the Azure Again to Faculty occasion and hope you discover the content material precious and insightful.
I hope the steps outlined on this weblog publish for configuring Automanage together with your Azure Arc-enabled servers assist improve the administration and safety of those sources in your setting.
You probably have any questions or solutions about this weblog publish, be at liberty to succeed in out to me on X (@wmatthyssen) or depart a remark. I’ll be joyful to assist!
Take pleasure in your studying and viewing!
