In this blog post, we’ll be talking about Azure Arc and how VMware admins can leverage it for management purposes.

At Microsoft Ignite 2019, Microsoft announced the public preview of Azure Arc. This new service is the management Godzilla that may very well set Azure apart from other cloud providers. It extends the feature set of Azure Resource Manager to servers and Kubernetes clusters and provides a centralized management platform for these endpoints whether they reside on-premise or even in other public clouds like AWS and GPC.

As of right now, Azure Policy Guest Configuration and Log Analytics are the only services available with Azure Arc managed servers. There is also no pricing scheme set up at the moment for this service while it is in preview. While this new and shiny service is in its infant stage, Azure Arc can be a fantastic way for managing all resources with a single panel of glass especially for VMware Administrators that are running a hybrid cloud infrastructure. In order to onboard servers into Azure Arc, an agent must be installed on each server. Below are the steps for getting started.

Requirements and Limitations

Azure Arc is currently compatible with the following server OSes:

Windows Server 2012 or newer

Ubuntu 16.04 and 18.04

By default, you can only have 800 Servers per Resource Group. So keep this in mind when planning. Azure Arc requires an outbound connection to the Azure Arc services and also works with an HTTP proxy, so for any networking configurations be sure to check out their network configuration guide.

Installing the Azure Arc Providers

Before we can start using Azure Arc, we need to register the providers. The easiest way to do this is to open up a CloudShell environment or login to Azure CLI and type in the following commands:

az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

Installing the Azure Arc Providers

Now that we have both required providers registered we are ready to connect a Windows and Linux server in our VMware environment to the Azure Portal by deploying the agent to them.

Deploying Agent On-Premise

The quickest way to get some agents connected is with PowerCLI. To do this we will need to create a Service Principle which will be used to authenticate with our Azure Subscription and onboard our VMs. The fastest way to create a SP is by pasting the following command into Azure CLI. We will be assigning our SP the “Azure Connected Machine Onboarding” role. This is a role that Microsoft has made specifically for onboarding VM’s to Azure Arc, it has a very limited scope of permissions:

az ad sp create-for-rbac --name sp-lukelab-azurearc --role "Azure Connected Machine Onboarding"

Deploying Agent On Premise

Take note of the AppID and Password. We will need to feed these into our PowerCLI script. If you don’t have PowerCLI installed on your machine, run the following command:

Install-Module VMware.PowerCLI -Force

Then we need to connect to our VCenter environment with the following syntax. In the example, my VCenter server’s name is “vcenter.lukelab.lcl”. Input the credentials to VCenter to successfully connect:

Connect-VIServer -Server vcenter.lukelab.lcl

Connect to VCenter environment

Now let’s install an agent on Ubuntu and Windows. Microsoft provided a script for each OS version, we will use PowerCLI to invoke the script on each OS.

Installing on Windows

Fill in the service principle, resource group, subscription, and tenant ID with your own details:

$installscript = @'
# Download the package
Invoke-WebRequest -Uri -OutFile AzureConnectedMachineAgent.msi

# Install the package
msiexec /i AzureConnectedMachineAgent.msi /l*v installationlog.txt /qn | Out-String

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `
  --service-principal-id "962a8e5f-7e3e-43bd-aba8-22sdfs234b43" `
  --service-principal-secret "O31FafVA:mL_=zZoLo[JeMV8vLXrjWF3" `
  --resource-group "rg-LukeLab-OnPremise" `
  --tenant-id "24e2975c-af72-454e-8dc0-572345151" `
  --location "WestUS2" `
  --subscription-id "f7c32571-81bd-4e97-977b-7e2234323"


Invoke-VMScript -vm web1 -scripttype powershell -scripttext $installscript -GuestCredential (get-credential)

Paste the script into the PowerShell window that is already connected to VCenter through PowerCLI:

Script pasting into Powershell window

Now the script will run ad it will take a few minutes to install and show up in the portal.

Installing on Ubuntu

Just like with our Windows script, fill in the service principle, resource group, subscription, and tenant ID with your own details:

$installscriptlinux = @"
# Download the installation package
wget -O ~/

# Install the connected machine agent. Omit the '--proxy "{proxy-url}"' parameters if proxy is not needed
bash ~/

azcmagent connect \
  --service-principal-id "962a8e5f-7e3e-43bd-aba8-22sdfs234b43" \
  --service-principal-secret "O31FafVA:mL_=zZoLo[JeMV8vLXrjWF3" \
  --resource-group "rg-LukeLab-OnPremise" \
  --tenant-id "24e2975c-af72-454e-8dc0-572345151" \
  --location "WestUS2" \
  --subscription-id "f7c32571-81bd-4e97-977b-7e2234323"

Invoke-VMScript -vm web4 -scripttype bash -scripttext $installscriptlinux -GuestCredential (get-credential)

Then we invoke it with Invoke-VMScript:


It will take a few minutes to install. Then the server will appear in the portal.

Managing Servers in the Azure Arc Portal

When we check the portal we can see both our Windows and Linux servers that reside on-premise are now added into Azure. We can now use Guest Configuration and Log Analytics with them. Let’s assign a policy to Web1:

Managing Servers in the Azure Arc Portal

We select Web1 and choose “Assign Policy”:

Web1 policy assignation

Select the resource group for the scope and we will select the policy definition “Configure time zone on Windows machines” this is currently the only configuration policy that can be enforced on guest VMs. More and more will be added in the future, but Microsoft wanted to start with something nonintrusive at first, like setting the time:

Assign policy

We will configure Web1 to always have the “Hawaii” timezone set. Also, we will check the “create a remediation task” to enforce this policy on the resource group  right now:

Create a remediation task Configure time zone on Windows machines

During the remediation process we can see that it is evaluating the assigned scope:

Remediation process

In a few minutes our resource is now compliant:Resource compliant

When we check Web1 we can see that the time zone has been changed:

Time zone change

Just the Beginning

Microsoft has big plans for Azure Arc. More and more policy definitions will become available bringing more functionality to the service. This is a big play on Microsoft’s part and really shows their stance on multi/hybrid cloud environments. It could potentially become the answer for solving the management headaches that come with the cloud and could make compliance and governance with VMware and Azure much easier.


Download Altaro VM Backup

Start your free 30-day trial of Altaro VM Backup today and see why it's trusted by 40 000+ organizations worldwide. Get started now and run your first backup in under 15 mins!

Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published. Required fields are marked *

Related posts