Blog Post

ITOps Talk Blog
8 MIN READ

Azure Arc for Cloud Solutions Architects

thomasmaurer's avatar
thomasmaurer
Icon for Microsoft rankMicrosoft
Jul 07, 2021

Azure Arc and the Azure control plane enables Cloud Solutions Architects to build hybrid and mutlicloud architectures. Taking advantage of the Azure control plane to manage infrastructure and allows to deploy Azure services anywhere. This allows customers to build cloud solutions and applications architectures consistently, independent of where the application is running.

 

Azure Arc Overview

 

In this blog post, we will have a look at Azure Arc for Cloud Solutions Architects. Azure Arc allows you to extend Azure management and Azure services to anywhere. Meaning that you can deploy, manage and govern resources running across hybrid and multi cloud environments, and bring services such as Azure SQL Database and Azure PostgreSQL Hyperscale to your on-premise datacenter, edge location, or other cloud providers. Since Azure Arc can help in many different scenarios.

 

Azure Arc

Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. Azure Arc enables you to manage your entire environment, with a single pane of glass, by projecting your existing resources into Azure Resource Manager. You can now manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure. Regardless of where they live, you can use familiar Azure services and management capabilities. Azure Arc enables you to continue using traditional ITOps, while introducing DevOps practices to support new cloud-native patterns in your environment.

Azure Arc Architecture Single Control Plane

This provides you with a single control plane for your hybrid and multicloud environment.

 

Azure Arc for Cloud Solutions Architects

Let's have a look at some key Azure Arc scenarios for Cloud Solutions Architects.

 

Use the Azure Portal to gain central visibility

In hybrid and multicloud environments, it can be difficult for Cloud Solutions Architects to get a central view of all the resources they need to manage. Some of these resources are running in Azure, some on-premises, branch offices, or even at other cloud providers. By connecting resources to the Azure Resource Manager using Azure Arc, Security Engineers can get central visibility of a wide range of resources, including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services running in Azure and outside of Azure.

Azure Arc and Azure resources in the Azure Portal

Organization and Inventory

The single control plane using Azure Resource Manager lets you organize and inventory assets through various Azure scopes, such as management groups, subscriptions, resource groups, and tags.

Azure Arc Tagging

 

Azure Resource Graph

Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph. This allows you to run queries against the Azure resource graph and provide a centralized view of all your resources running in Azure and outside of Azure.

 

Manage Access

As a Cloud Solutions Architect, you want to make sure that only people who need access can access these systems. You can delegate access and manage security policies for resources using role-based access control (RBAC) in Azure. With Azure Arc enabled servers, we are seeing customers removing the local access for administrators and only provide them access to the system in the Azure portal using Azure Arc and Azure Management services. If you run in multiple environments and tenants, Azure Arc also integrated perfectly in Azure Lighthouse. Azure Lighthouse is especially interesting for managed services providers.

Role-based Access Control

 

Enable your custom deployment locations

Azure Arc enables you to create custom locations, so you can use the Azure Resource Manager not just to deploy to Azure Regions but also to your own custom locations. You can learn more about custom locations on Microsoft Docs.

Azure Regions and custom locations

 

Run cloud-native apps on Azure PaaS anywhere

Azure Arc allows you to deploy Azure application services such as Azure App Service, Functions, Logic Apps, Event Grid, and API Management anywhere, on-premises, edge locations, or any other cloud provider. This is great if you are building and running cloud-native applications on Azure PaaS services and want them to run outside of Azure without rearchitecting them.

These are the new Azure Arc-enabled Application services announced at Microsoft Build 2021. These allow you to run Azure PaaS services on-premises and at other cloud providers.

 

  • Azure App Service makes building and managing web applications and APIs easy with a fully managed platform and features like autoscaling, deployment slots, and integrated web authentication.
  • Azure Functions makes event-driven programming simple, with state-of-the-art autoscaling, and triggers and bindings to integrate with other Azure services.
  • Azure Logic Apps produces automated workflows for integrating apps, data, services, and backend systems with a library of more than 400 connectors.
  • Azure Event Grid simplifies event-based applications with a single service for managing the routing of events from any source to any destination.
  • Azure API Management provides a unified management experience and full observability across all internal and external APIs.

Create App Service and select a custom location

 

Azure Arc enabled Data Services

Next to Azure Application services to run services like Web Apps and Logic Apps, you also want to leverage data services and databases. With Azure Arc enabled Data services you can run services like Azure SQL Managed Instances anywhere. 

The applications services can be combined with the Azure Arc enabled Data services which include:

 

  • Azure Arc enabled Azure SQL Managed Instance β€“ Azure Arc enabled SQL Managed Instance has near 100% compatibility with the latest SQL Server database engine, and enables existing SQL Server customers to lift and shift their applications to Azure Arc data services with minimal application and database changes while maintaining data sovereignty. At the same time, SQL Managed Instance includes built-in management capabilities that drastically reduce management overhead.
  • Azure Arc enabled Azure PostgreSQL Hyperscale β€“ This is the hyperscale form factor of the Postgres database engine that is available with Azure Arc enabled data services. It is also powered by the Citus extension that enables the hyperscale experience. In this form factor, our customers provide the infrastructure that hosts the systems and operate them.

Azure Arc enabled data services

 

CI/CD workflow using GitOps - Azure Arc enabled Kubernetes

Azure Arc brings DevOps practices anywhere. Modern Kubernetes deployments house multiple applications, clusters, and environments. With GitOps, you can manage these complex setups more easily, tracking the desired state of the Kubernetes environments declaratively with Git. Using common Git tooling to track cluster state, you can increase accountability, facilitate fault investigation, and enable automation to manage environments. 

 

 

Azure Arc enabled Kubernetes GitOps Flow

 

Deploy and run Azure Kubernetes Services (AKS) on-premises on Azure Stack HCI

With Azure Arc and Azure Stack HCI, you can run the Azure Kubernetes Services (AKS) on-premises in your own datacenter or edge location on top of Azure Stack HCI. This AKS cluster can be Azure Arc enabled, to allow management and deployment of applications to your Kubernetes clusters. You can learn more on Microsoft Docs.

 

Run Machine Learning anywhere

Azure Arc enabled machine learning lets you configure and use an Azure Arc enabled Kubernetes clusters to train and manage machine learning models in Azure Machine Learning.

Azure Arc enabled machine learning supports the following training scenarios:

  • Train models with 2.0 CLI
    • Distributed training
    • Hyperparameter sweeping
  • Train models with Azure Machine Learning Python SDK
    • Hyperparameter tuning
  • Build and use machine learning pipelines
  • Train model on-premise with outbound proxy server
  • Train model on-premise with NFS datastore

Learn more on Microsoft Docs.

Use Azure Managed Identities on-prem or at other cloud providers

If developers build applications that need to authenticate against Azure resources, Azure VMs can leverage their Managed Identity to authenticated. With Azure Arc, applications or processes running directly on an Azure Arc-enabled servers can leverage managed identities to access other Azure resources that support Azure Active Directory-based authentication for example Azure Key Vault. An application can obtain an access token representing its identity, which is system-assigned for Arc-enabled servers, and use it as a 'bearer' token to authenticate itself to another service.

You can learn more about the managed identity overview documentation for a detailed description of managed identities, as well as the distinction between system-assigned and user-assigned identities. For authenticate against Azure resources with Arc-enabled servers, check out the following article.

Update Management

As a Cloud Solutions Architect, one of your jobs is to make sure that all the systems have the latest updates and patches installed to protect against vulnerabilities. Often customers spend hours orchestrating or deploying patched or building automation for their patch management. With Update Management, you can manage operating system updates for your Windows and Linux servers. In addition, it allows you to schedule and automates patching for your servers.

Update Management

 

Monitoring

You do not just want to manage your systems; you also want to monitor them and make sure that you get alerted in case anything is happening which you disrupted your environment and applications. You can monitor your Kubernetes clusters and containers, Linux, and Windows Servers. Azure Monitor provides you with monitoring guest operating system performance and discover application components to monitor their processes and dependencies with other resources the application communicates using VM insights.

Monitoring

One of the great features in Azure Monitor which can help Cloud Solutions Architects is the Microsoft Dependency agent. This provides you with information about the incoming and outgoing connections to a specific server.

 

Azure Monitor Map

 

Log collection and analytics

Log collection and analytics can be very helpful to a Cloud Solutions Architect in many ways. With Azure Log Analytics you can collect, sort, filter, and analyze your logs centrally. It allows Security Engineers to get a central view of all the security logs of the systems they manage. These logs can also be used for thread hunting using Azure Sentinel.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

 

Change Tracking and Inventory

With change tracking and inventory, you can get an overview of the changes happening in your environment and get an inventory of software installed on your Windows and Linux servers.

Change Tracking and Inventory

 

Certificate Management

You might have managed certificates on your servers using Active Directory and Group Policies for your local environment. In hybrid cloud or mutlicloud environments, servers are often not even domain joined. That can make managing certificates a challenge. With a combination of the Azure AD Managed Identity assigned by the Azure Arc agent and Azure Key Vault you can easily and securely deploy and manage certificates to your Windows and Linux servers.

 

Security Center

Making sure that your servers and Kubernetes clusters are secured is often a challenging task, especially in a hybrid or multicloud environment. With Azure Security Center you get threat detection and proactively monitor for potential security threats for your Azure Arc resources. It allows you to deploy Azure Defender for servers and Azure Defender for Kubernetes to your hybrid and multicloud resources.

Security Center

 

Get compliance state

As a Cloud Solutions Architect, you want to know if your servers or Kubernetes clusters are compliant with the company policies. Or you are even in charge to make sure that all your systems are configured correctly and secure. This is where Azure Policy Guest Configuration on your Azure Arc enabled servers can help you to make sure that everything is compliant.

Azure Policy

Manage your Azure Stack HCI

Azure Stack HCI is a new hyperconverged infrastructure (HCI) operating system delivered as an Azure service that provides the latest security, performance, and feature updates. Azure Stack HCI has Azure Arc build-in and can be managed through the Azure Portal.

Azure Stack HCI Native Integration in to Microsoft Azure

 

Next steps

  • Learn more about Arc enabled servers, see the following overview

  • Learn more about Arc enabled Kubernetes, see the following overview

  • Learn more about Arc enabled data services, see the following overview

  • Experience Arc enabled services from the Jumpstart proof of concept

Also, check out my video on how to manage your hybrid cloud using Azure Arc on Microsoft Channel 9.

 

 

Conclusion

Azure Arc enables Cloud Solutions Architects and others to build hybrid and multicloud solutions and with the right tooling to manage and operate hybrid and multicloud resources such as Windows and Linux servers, Kubernetes clusters, and other resources. If you have any questions, feel free to leave a comment below.

 

Updated Jul 19, 2021
Version 2.0
  • Awesome write-up Thomas! Thanks for sharing!

     

    Happy Azure Stacking!!!

  • josch83's avatar
    josch83
    Copper Contributor

    This is an awesome post, and it gives a great overview. Thank you!

    With more and more Arc-enabled PaaS services, could it be a possibility to use it for a cloud-exit strategy, which is an important requirement for some companies? Or does the deployment and operational management of those resources require to have an active access to the Azure Portal and Resource Manager (means: when Microsoft contracts ended, you are going to have orphaned resources on Arc connected clusters in other environments)?

  • josch83 Thank you for the feedback πŸ™‚

     

    To your other point, yes and no. Technology-wise services like Azure Data services can run in disconnected mode (or indirect mode) which is designed for environments where you don't have a connection (or can't use one for various reasons). Billing-wise this is still "connected" to Azure environment/contract/subscription etc. I hope that makes sense.

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    thomasmaurer I have a copy of a very comprehensive slide deck for the Azure Arc diagrams from 2021 do you know if there is an updated version that shows new functionality and product names?