In Manufacturing companies, hybrid architectures aren’t transitional—they’re persistent. Most large manufacturers operate across remote plants, branch sites, private datacenters, and Azure. The main challenge manufacturers face isn’t adopting cloud services, it is preventing long‑term operational fragmentation: multiple teams, multiple tools, inconsistent security controls, and uneven governance as the estate grows.
Azure Arc addresses this as an architectural control‑plane pattern: it extends Azure management to infrastructure and Kubernetes outside Azure by projecting them into Azure Resource Manager (ARM) so they can be governed using Azure-native primitives such as policy, RBAC, and monitoring.
This article describes three architecture patterns that consistently emerge in manufacturing and edge scenarios. Each pattern addresses a distinct set of constraints—ranging from centralized governance across hybrid estates, to plant‑adjacent platforms, to fully disconnected environments—and illustrates how Azure services can be composed to support these realities in a scalable, well‑governed way.
Typical manufacturing environments must contend with some or many of the following components:
- Latency & determinism: plant-floor systems often require local execution
- Distributed footprint: dozens/hundreds of sites with varying maturity
- Connectivity variability: some sites are intermittently connected
- Regulatory & data constraints: some workloads must remain on premises
- Cloud: Native cloud applications including the AI based research applications, SAP systems, etc.
As a result, the estate becomes a mix of Azure + non‑Azure infrastructure. The failure mode isn’t performance—it’s inconsistent operations: different patching methods, different monitoring stacks, and uneven security baselines. Azure Arc is positioned specifically to create unity across that operational model by bringing hybrid resources into the Azure control plane.
A helpful way to think about Arc in manufacturing scenario is to separate the control plane and the data plane:
Arc enables a centralized control plane by projecting resources, like the ones below, into ARM:
- Azure Resource Manager (resource inventory, tags, RBAC, Policy)
- Security posture & compliance (Defender for Cloud, policy initiatives)
- Observability and operations workflows (Azure Monitor, Update Manager, etc.)
Whereas the data plane remains at distributed locations meaning:
- Workload execution remains at plants, private DCs, or edge sites
- Kubernetes API endpoints, runtime traffic, OT systems remain local
This separation is an architectural lever allowing organizations to standardize governance without forcing workload relocation.
A high-level design decision matrix
|
Constraint |
Recommended starting pattern |
Why |
|
Many sites + inconsistent tooling |
Arc as distributed control plane |
Standardizes governance and inventory via ARM projection |
|
Plant workloads require local platform |
Azure Local + Arc |
Uses Azure Local baseline + Arc integration for operations |
|
Connectivity cannot be assumed |
Disconnected/intermittent design |
Forces control-plane boundary design + local autonomy |
Pattern 1 — Azure Arc as the distributed control plane (for VM, SQL severs+ Kubernetes)
When this pattern fits
Use this pattern when:
- You need consistent governance across plants, datacenters, and multicloud
- You can maintain at least periodic connectivity for control-plane sync
- You want Azure policy/security/monitoring to apply uniformly
Architecture intent
Azure Arc projects existing bare metal, VM, and Kubernetes infrastructure resources into Azure to handle operations with Azure management and security tools. Azure Arc simplifies governance and management by delivering a consistent multicloud and on-premises management platform experience for Azure services. Once projected, you can operate hybrid resources using Azure-native constructs (inventory, compliance reporting, policy scope) and apply standardized guardrails.
Figure 2 - AzureArc integrates external resources into Azure landing zones via ARM, enabling a unified control plane and consistent governance across cloud, on‑premises, and edge environments.
From an architectural standpoint, Azure Arc establishes a centralized control plane in Azure (ARM, RBAC, Policy, Resource Graph) and decentralized data plane remaining at plants, datacenters, or edge sites. This separation enables organizations to apply management‑group–scoped policies, standardized tagging, and Defender for Cloud controls consistently across environments, while preserving local execution and latency characteristics required by manufacturing workloads.
Why this pattern matters:
It moves organizations from managing individual sites to governing the entire estate as one. It minimizes operational drift as environments expand across plants and edge locations. Centralized control simplifies enforcement of standards without slowing local operations. The pattern creates predictability at scale in highly distributed environments. It establishes a stable foundation for future modernization initiatives.
Pattern 2 — Azure Local + Azure Arc (plant-adjacent platform pattern)
When this pattern fits
Use this pattern when:
- Workloads must run on premises for latency, sovereignty, or operational control
- You want cloud-consistent operations without creating a separate tooling island
- You need a standardized platform for virtualized + containerized workloads at sites
- You need the local AI inferencing where data needs to be processed at the source/plant site
Architecture intent
Azure Local Microsoft’s distributed infrastructure solution that extends Azure capabilities to customer-owned environments. It facilitates the local deployment of both modern and legacy applications across distributed or sovereign locations. Azure Local accelerates cloud and AI innovation by seamlessly delivering new applications, workloads, and services from cloud to edge, using Azure Arc as the unifying control plane.
From an architectural perspective, Azure Local serves as the local data plane for applications—supporting general‑purpose virtual machines, managed Kubernetes (AKS), and selected Azure services—while Azure Arc extends the Azure control plane to that environment for inventory, policy, monitoring, and security integration. This separation allows workloads to run close to manufacturing systems without creating a parallel or disconnected operational model.
Azure Local supports a broad spectrum of workload types on the same platform foundation, including:
- Traditional line‑of‑business applications on virtual machines
- Modern containerized workloads using AKS on Azure Local
- Azure‑consistent platform services that can be deployed locally, such as Azure Virtual Desktop and SQL Managed Instance
- GPU‑accelerated workloads for AI inferencing and computer vision scenarios
Why this pattern matters:
Without a platform like Azure Local integrated through Azure Arc, on‑premises manufacturing workloads tend to evolve into bespoke environments with inconsistent security, monitoring, and lifecycle management—making long‑term scale and governance increasingly difficult.
Pattern 3 — Disconnected edge workloads (connectivity-constrained design)
When this pattern fits
Use this pattern when:
- Sites cannot assume continuous connectivity
- Local autonomy is required for safety or production continuity
- You still want centralized governance when connected
Architecture intent
In manufacturing and edge scenarios, some environments must operate without continuous internet connectivity due to regulatory constraints, physical isolation, or operational risk tolerance. In these cases, architectures must assume that cloud control‑plane access is intermittent or unavailable, while local execution must continue without disruption. Disconnected architectures shift the primary design concern from availability of services to autonomy of execution. This pattern applies to environments that are fully offline, intermittently connected, or explicitly restricted from sending data to public cloud endpoints.
Azure supports this model through Disconnected-containers, where containerized services are deployed and operated fully offline. Once provisioned, these containers run entirely on local infrastructure with no runtime dependency on Azure endpoints, enabling uninterrupted execution even during extended disconnection periods. Disconnected containers are offered through commitment tier pricing, each offering a discounted rate compared to the Standard pricing model. Learn more about pricing here: Plan and Manage Costs - Microsoft Foundry | Microsoft Learn
Before attempting to run a Docker container in an offline environment, make sure you know the steps to successfully download and use the container. For example:
- Host computer requirements and recommendations.
- The Docker pull command you use to download the container.
- How to validate that a container is running.
- How to send queries to the container's endpoint once it's running.
Why this pattern matters:
This pattern matters because not all environments can rely on continuous connectivity. It enables critical workloads to operate independently at the edge while remaining aligned to central governance when connectivity is available. The pattern prioritizes local autonomy without sacrificing architectural discipline. It reduces operational risk in constrained or disconnected sites. This approach ensures resilience and continuity in environments where connectivity cannot be assumed.
Manufacturing IT will remain distributed by design. The risk is not hybrid complexity, but fragmented operations. By centralizing the control plane while keeping execution local, Arc enables consistent security, compliance, and operations across cloud, datacenter, and edge.
Microsoft