Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
How To Automate The Hybrid World Part One Of Two
Published Jan 23 2023 04:36 AM 6,036 Views
Microsoft

Hi, Jonas here!

Or as we say in the north of Germany: "Moin Moin!"
I’m a Microsoft Senior Cloud Solution Architect – Engineering (or short Sr. CSA-E) and in this article I want to talk about how to automate the hybrid world.

Over the years Microsoft has developed more and more automation tools such as Power Automate, Azure Logic Apps, Azure Functions or Azure Automation. While Azure Automation is not the latest tool in the automation tools family, I dedicate this blog to this amazing tool and hopefully provide you with an easy-to-follow how-to guide.

 

Table of contents

Azure Automation in a nutshell

A Hybrid worker in a nutshell

Azure Arc in a nutshell

Hybrid Worker setup diagram

How to follow along

Prepare Azure Automation Account

Azure Arc Extension-based (V2) Hybrid Worker setup

 

TL;DR

What you can expect from this article.

This article is basically a summary of the Azure Automation documentation and a how-to setup of the so-called Hybrid Worker running on a Windows Server. Why a summary of the documentation you might ask? Well, it helps me understand a topic better and it hopefully helps you too.
The main purpose is to learn how Azure Arc, Azure Automation and the Hybrid Worker work together and how to automate the hybrid world.

I chose an example to automate an on-premises task with Microsoft Configuration Manager aka ConfigMgr with an Azure Automation Runbook. But the product ConfigMgr though can be replaced with any other on-premises or cloud service.

I will also give you some runbook examples to be able to see some results as fast as possible.

The blog post does not focus on all the other Azure Automation features besides runbooks but should give you enough information to easily add other features later to expand the automation capabilities.

So, grab a coffee or two and follow along if you like.

(This is part one of a two part series. The link to part two can be found at the end)

 

Azure Automation in a nutshell

Azure Automation is a set of tools to automate almost anything. Some of those tools are:

  • Runbooks
    • A script to automate a certain task which can be started in different ways
    • (What I will talk about in this article)
  • Change Tracking and Inventory
    • A solution to detect changes made to your systems and to create an inventory
  • Azure Automation State Configuration
    • A powerful tool to apply a defined set of configurations to your systems by leveraging PowerShell Desired State Configuration (DSC)
  • Update Management
    • A solution to schedule update installations on systems

 

A Hybrid worker in a nutshell

A Hybrid Worker in general is just a machine you manage to run Runbooks on. A Runbook in essence is just a PowerShell or Python script.
A hybrid worker can either be installed on an on-premises machine or a machine running in the cloud.
The Hybrid Worker can help to connect to on-premises resources or can be an option for long running scripts, the need to load 3rd Party software or if you need to interact with local services.
Without a Hybrid Worker a runbook would run in the Cloud in an Azure sandbox.

A full feature list of the Hybrid Worker can be found here: Runbook Execution Environment


Azure Arc in a nutshell

Azure Arc gives you the capability to attach systems and services living outside of Azure to Azure Resource Manager and manage them as if they were hosted in Azure. That gives you the benefit of running your management tasks from withing one management view.
Have a look at the documentation here: Azure Arc Overview

In short: Azure Arc gives you server management capabilities from within one portal.

If you’re looking for a “zero to hero” experience, go to: https://azurearcjumpstart.io and try out different Azure Arc scenarios if you like.

In this blog we will use an Azure Arc enabled server running on-premises as the Azure Automation Hybrid Worker.

 

Hybrid Worker setup diagram

In the Azure Automation documentation, the old way using Azure Log Analytics is referred to as “Agent-based (V1)” while using Azure Arc for a Hybrid Worker is called the “Extension-based (V2)” setup type.
Since the setup with Azure Arc is much simpler and the preferred method, that’s what I will describe in the next sections.

The setup will look like the below diagram.

  • A Hybrid Worker server attached to Azure Arc and attached to an Automation Account
  • A service account with limited rights on the Hybrid worker to run a runbook
  • One or more machines we choose as the runbook targets to perform certain tasks on

Arc Hybrid Worker Setup DiagramArc Hybrid Worker Setup Diagram

How to follow along

If you want to follow along and try the hybrid worker setup for yourself, all you need is one server running anywhere. The system simply needs internet access to reach the Azure Arc and Automation services.

You can find the different requirements in the following sections of the documentation:

Azure Arc:
Azure Arc Servers Prerequisites
Azure Arc Servers Network Requirements

Azure Automation:
Azure Automation Network Configuration

Note: If you are a ConfigMgr admin and want to try my example script, the server acting as the Hybrid Worker needs to be domain joined and needs to have access to the ConfigMgr infrastructure. It also needs to have the ConfigMgr console installed. But more on that later.

You can also not domain-join the system and follow along. But it limits the demo or test options.

 

Prepare Azure Automation Account

Let’s start with the Azure Automation Account.

  1. Login to your Azure Subscription and start by searching for “Automation Accounts” in the above search box.
  2. Click on “Automation AccountsAzure Portal Search for Automation AccountsAzure Portal Search for Automation Accounts
  3. Click on “+ Create” and create a new “Automation Account”.
  4. Create a new resource group or choose an existing one.
  5. Give the account a name and choose a region.Create an Automation Account wizardCreate an Automation Account wizard
  6. Leave all other following settings as they are and click on “Review + Create” and “Create”


Create Hybrid Worker group

Before we set up any Hybrid Worker we need to create a Hybrid Worker group.
The group will later contain the Hybrid Worker machine (or multiple machines if needed) and will act as the target for any Runbook we want to start.

  1. Go to the new Automation Account you just created under: “Azure Portal: Automation Accounts
  2. Click on “Hybrid worker groups” and “+ Create hybrid worker groupCreate Hybrid Worker Group buttonCreate Hybrid Worker Group button
  3. Give the new group a name. Create Hybrid Worker Group WizardCreate Hybrid Worker Group Wizard
  4. I set the option to “Use run as credentials” to “Yes
    • Without “run as credentials” a Runbook will run under the local system account. That might not be an issue, but I want to restrict any script-access by using an on-premises Active Directory user and give that user just the rights required to do the job.
    • If you also want to use a dedicated user for your runbooks as I do here, create the user in your on-premises Active Directory first! (We will set the required rights later in the process)
    • IMPORTANT: The “Username” needs to be in the format “domain\username”
    • More about the run as account can be found here: Create Run As AccountNew credential wizardNew credential wizard
  5. We just need the group for now. So, leave the other options as they are and click on “Review + Create” and “Create”


Azure Arc Extension-based (V2) Hybrid Worker setup

Let’s now add a machine to Azure Arc and finish the Hybrid Worker setup

  1. Before setting up Azure Arc we need to make sure that the following resource providers are registered for the Azure Subscription:
    Microsoft.HybridCompute
    Microsoft.GuestConfiguration
    Microsoft.HybridConnectivity
    Without them the following setup steps won’t work.
  2. Go to Azure Portal: Billing Subscriptions Blade
  3. Choose the subscription you use for Azure Arc and Azure Automation and click on “Resource Providers”.
  4. Click on “Register” in case a provider is not yet registered.Register Resource Provider wizardRegister Resource Provider wizard
  5. Let’s now setup Aure Arc. Use the search box again and search for “Azure Arc” this time.Search for Azure ArcSearch for Azure Arc
  6. Click on “Servers” and “+ Add” to add your server to Azure Arc.Add Server to Azure ArcAdd Server to Azure Arc
  7. There are multiple mechanisms of adding systems to Azure Arc available.
    Since we only have a single machine and do not need a broad deployment yet, choose “Add a single server” and click on “Generate script”.Azure Arc scriptAzure Arc script
  8. Review the prerequisites and click “Next
  9. Select an existing resource group or create a new one (this will be the group your machine will be part of)

    Set the region, choose ”Windows” as operating system and click “Next

    HINT: You could add a proxy server to the onboarding script at this step. Us the “Proxy server” connectivity method to do so if you want or need to.Add a server with Azure ArcAdd a server with Azure Arc

  10. Click “Next” or set tags of you wish to.
  11. Click on “Download” or the “Copy-button” next to it and run the script on the machine you choose to be the Hybrid Worker. Script downloadScript download

  12. The script will download and install the Azure Arc Agent and will open a browser window for authentication.
    Use the
    login prompt to authenticate with a user having Azure Arc rights to attach the system to Azure Arc.

  13. If everything went well, you should be able to see the server after some minutes in Azure Arc in the “Servers” section:
    Go to: Azure Portal: Microsoft Hybrid Compute

  14. Locally on the server we now have the “Azure Hybrid Instance Metadata Service” and the corresponding folder called: “C:\Program Files\AzureConnectedMachineAgent
  15. The final step to add this machine as a hybrid worker to Azure Automation is to add the newly added Arc Server to our Hybrid Worker Group.
  16. Go to: Azure Portal: Automation Accounts
    and click on the new Automation Account
  17. Click on “Hybrid Worker Groups
  18. Click on the name of the new Hybrid Worker group
  19. And click on “Hybrid Workers” and “+ Add” Add a hybrid worker wizardAdd a hybrid worker wizard
  20. Choose the newly added Azure Arc server from the list and click “Add” Add machines as hybrid worker wizardAdd machines as hybrid worker wizard
  21. The arc server will then be visible in the hybrid worker group as “Extension based V2” system.
  22. We should also see event ID 15003HybridRunbookWorkerStarted” under “Application and Services Logs\Microsoft-SMA\Operational” locally on the server. So, it seems the Hybrid Worker part is running on that machine. Event Viewer (Local) showing Microsoft-SMA/OperationalEvent Viewer (Local) showing Microsoft-SMA/Operational

     

Conclusion

This is it for part one of a two part series. In part two we will go over the steps to create a simple and a more complex runbook and let them run on the Hybrid Worker.
I hope you had fun following along to automate the hybrid world.

Azure Automation and Azure Arc are amazing tools and both can help you automate and simplify server-, process- and service-management. Have fun with them!

Hope to see you at part two: How To Automate The Hybrid World Part Two Of Two

You can also find all my other artilces via: https://aka.ms/JonasOhmsenBlogs

 

Stay safe! 

Jonas Ohmsen 
Microsoft Germany 

 

Disclaimer: 

This posting is provided "AS IS" with no warranties and confers no rights.

 

 

 

1 Comment
Co-Authors
Version history
Last update:
‎Jan 26 2023 05:43 AM
Updated by: