Azure Arc topics

Alert on Pending Updates

Joeri_Michiels — Wed, 16 Jul 2025 12:23:55 GMT

Hi,

We've set up several onpremise servers with the Azure Arc agent, to allow us to manage updates via Azure Update Manager.

I'd like to get a mail notification with pending updates before the maintenance is scheduled. Azure Update Manager provides a New alert rule (preview) feature that allows me to setup a new alert for pending updates easily.

The issue is that it runs every 5 minutes, fires the alert, and sends the email every 5 minutes. Ideally this is sent before the maintenance schedule runs (every 2 weeks), so I know which updates will be applied before they get applied. Changing the frequency of evaluation can be changed to 1 day max, but that will trigger the message to be sent every day.

I figured that I could edit the alert rule and change the Query type to Single event (preview), but not sure if that's the solution. When I try this, I cannot edit or save a query.

No way to add something to the query and there's no save button:

Any idea how I could trigger a Pending Update alert rule to run on a scheduled basis, eg every 2 weeks ?

Thanks

Best regards,

Joeri Michiels

Azure Local - Design the infrastructure - some bad design choices I have stumbled on

Chris_toffer0707 — Wed, 16 Jul 2025 11:08:43 GMT

Hi.
I wanted to share my lasted blog article where I touch on some of the bad design choices I have stumbled on when working with customers existing Azure Local deployments that broke down or in other ways behaved with poor performance or disruptions.

https://www.chkja.dk/2025/07/16/azure-local-design-the-infrastructure/

I hope to inspire and feel free to share your knowledge here in the thread :)

My Mistake: installing azure local OS On laptop

gregorywoodruffstl — Mon, 16 Jun 2025 05:04:15 GMT

Let me begin by apologizing to all experienced tech community professionals who have posted numerous discussions resulting in numerous solutions. I should have known that to start a discussion you really need to be as succinct as you can be, not unlike creating a perfect prompt while submitting something to an AI model.

I was unaware that my discussion needed to be approved before being available to all -how come AI doesn't do that approval? 7 hours later... A big thank you to the moderator of this Category. They really saved me by giving extra time to read and re-read my initial post. Ugh...

My self-imposed punishment for being a knucklehead is to dig a little deeper. I'm doing that and I'm onto something. When I think I have a more complete set of instructions to do what I'm doing, I'll provide details and hopefully I will be self-aware of written and unwritten rules of the Tech Community Road In future posts

Installing azure local os on a laptop

gregorywoodruffstl — Sun, 15 Jun 2025 21:57:30 GMT

I don't know if it is possible but I would like to try installing azure local on a laptop that has a two terabyte SSD drive. it is an LG Gram laptop. the reason I would install it on the laptop is the laptop was damaged while being transported by an ambulance to hospital the laptop did they lowered the the gurney and the laptop was underneath and so the laptop was crushed into the shape of a 8th moon. if it is possible what I'd like to do is install the azure local os and then from the azure portal provision a Windows 11 operating system initially for testing purposes. if I can be successful at that then I would try installing Azure Local On one of several servers I have in my home that have multiple network cards I also have a bank of 56 public IP addresses So I think I have everything necessary but I'd like to start with the laptop any tips would be appreciated i've searched high and low maybe I'm just not good at searching but hoping somebody out there take a minute to tell me I'm parking up the wrong tree or maybe you can provide me with a link to a good article or just tell me what I need to do. In the end maybe I can use the laptop and it's drive for restoring data for insights or some or maybe have one BM running on it Anything I can do to use the on premise Hardware that I have would help from a cost standpoint. I am limited in what I can do as far as neurologically because of a spinal cord injury but that's not a crutch it's just an FYI. I'm pretty sure one of you is way smarter than me and way more experienced than I So thanks In advance we're taking the time to point me in whatever direction I need have a good afternoon

Update servers with Arc, but leave SCCM installed

jmaraviglia — Wed, 11 Jun 2025 19:04:33 GMT

We have multiple servers that we want to update with Arc instead of SCCM. Want to leave SCCM installed for reporting purposes. We found a few registry keys that point to the on-prem SCCM server. I've tried removing them, but they are reinstalled by the client after a reboot. Is there a clean way to disable this feature so that Arc handles all the monthly updates?

Learning Azure with Ofek – Azure Arc

OfekBenEliezer — Mon, 28 Apr 2025 13:53:20 GMT

is a solution that simplifies hybrid environment management and it’s free. Azure Arc allows you to manage and govern on-premises resources and resources from other clouds like AWS and GCP directly within your Azure environment. You can connect physical servers, virtual machines, Kubernetes clusters, and SQL Servers, and manage them as if they were native Azure resources. Azure Arc extends Azure capabilities to your on-premises and multi-cloud environments. It enables you to deploy services like Azure Policy, Defender for Cloud, and Azure Monitor easily across environments. You can also centrally manage SQL Server with performance assessments, cloud backups, Azure authentication, and pay-as-you-go licensing. The big advantage is unified management of policies, security, updates, and monitoring from the same Azure interface. From my experience, Azure Arc is ideal for organizations operating in hybrid environments or those still in transition to the cloud. Feel free to reach out for any questions.

Azure Arc Gateway and Azure Arc Proxy

jbi — Tue, 01 Apr 2025 19:24:59 GMT

Hi,

I had an internal discussion regarding the purpose of the Azure Proxy.

Can the Azure Arc Proxy
A) take over the communication of other VMs, servers or Arc Agents that cannot access the internet. In other words, the Arc Proxy is a proxy for other Arc Agents on other servers.

B) or does the Azure Arc Proxy only serve as a proxy on the VM itself for the extensions installed on the same machine, thus simplifying communication of the individual servers over an enterprise proxy server and reducing the URLs that need to be whitlisted.

I think the graphic can be misinterpreted

https://learn.microsoft.com/en-us/azure/azure-arc/servers/arc-gateway?tabs=portal

I would be grateful for a brief confirmation and clarification.

Many thanks in advance

Can't install Azure ARC on multiple Server 2025 devices

hoyty76 — Wed, 19 Mar 2025 21:00:00 GMT

I have multiple Server 2025 devices that when I click "Launch Azure Arc Setup" button on taskbar icon or "Azure Arc Setup" on start menu nothing happens. I then tried to download arcsetup.exe and it never advanced beyond the initializing Windows Installer screen. I got it to work on one server and 4-5 all have the same problem. Both physical and VM. Below are errors in the event log.

Exclude KB from the Update manager reports

lalanc01 — Fri, 14 Mar 2025 19:08:48 GMT

Hi, is there a way to filter out a KB that we have excluded from our maintenance configs, so that it doesn't show up as a missing updates for servers on which we have assigned that maintenance config in the overview page?

Or is the only way is to create our own custom workbook that will show this exclusion?

Thank you in advance and don't hesitate if you have any questions

Forcibly removing Azure Arc on-prem server from Defender for Cloud

Eric_Logsdon — Wed, 12 Mar 2025 19:33:31 GMT

I have a few servers that were Arc enabled and decommissioned without removing Arc. How can I forcibly remove them from Defender for Cloud?

Azure Arc, on-prem servers, and MDE

Chaffy — Mon, 10 Mar 2025 12:37:06 GMT

I've onboarded a handful of on-prem server into Azure Arc and I would like to rollout the MDE extension. Do I have to enable MDE on the resource group or subscription before I can install it? I don't see it listed as an available extension when I go here:
Azure Arc | Machines > server01 | Extensions > Install extension

Lots of spam, is there a way to report and filter them?

luchete — Sat, 15 Feb 2025 16:26:13 GMT

Is there any way to flag or report these spam posts? As some of you may be aware, I've seen them multiple times, and sometimes they disappear for a while, only to come back later. This makes it difficult for important topics to stay visible in the forums. Is there a way we can help by reporting them? Makes any difference?

Register now for the Migrate to Innovate Summit

MSdellis — Thu, 13 Feb 2025 21:47:01 GMT

Join the summit on March 11, presented in partnership with Intel.

Stay agile, innovate for the future, and maintain a competitive edge by accelerating your cloud migration and modernization journey. Microsoft thought leaders will discuss the latest news and trends, showcase real-world case studies, and share how Azure can help you fully embrace AI.

Join us to:

Maximize business value and build the foundation for successful innovation by leveraging the latest Azure and Intel capabilities for your workloads.

Dive into case studies and real-world examples showcasing how organizations have successfully transformed their business and how you can be next by migrating and modernizing on Azure.

Make sure your cloud migration and modernization journey is using the best practices and strategies featured in product demonstrations.

Register now >

Migrate to Innovate Summit

Tuesday, March 11, 2025

9:00 AM–11:30 AM Pacific Time (UTC-7)

LAB: Azure Arc Enabled Kubernetes

Aaida_Aboobakkar — Wed, 12 Feb 2025 14:18:53 GMT

Below are the steps and commands you can use to deploy Kubernetes and connect it to azure arc.

My test machine: Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1021-azure x86_64)

Kubernetes Distribution: Minikube

Note: You need to follow different installation procedure according to the OS and processor architecture of your test system. The installation link provided in each step.

Install Docker

sudo apt update
sudo apt upgrade

#Install Docker

#Link for Docker installation
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
docker -v

Install Kubectl

#Install Kubectl

#link for kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
kubectl version --client

Install Minikube

#Install Minikube

# Link for Minikube installation
curl -LO https://github.com/kubernetes/minikube/releases/latest/download/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube && rm minikube-linux-amd64
sudo usermod -aG docker $USER

minikube start --driver=docker

Connect to azure arc

#Connect to azure arc
az connectedk8s connect --name k8clust3 --resource-group myrd --location swedencentral
kubectl get deployments,pods -n azure-arc

Azure Arc Decision Tree

Aaida_Aboobakkar — Mon, 10 Feb 2025 07:56:54 GMT

LAB: Azure Arc with Private Endpoint

Aaida_Aboobakkar — Fri, 07 Feb 2025 17:09:48 GMT

What is Azure Arc?

Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud.

With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape.

This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure.

What is Azure Private Endpoint?

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. By using a private IP address from your virtual network, the private endpoint brings the service into your virtual network, ensuring that traffic between your virtual network and the service remains private. This setup eliminates exposure from the public internet, enhancing security. Private endpoints can be used with various Azure services, such as Azure Storage, Azure SQL Database, and Azure Cosmos DB. They provide secure connectivity between clients on your virtual network and the service, using the same connection strings and authorization mechanisms as public endpoint.

What are the benefits of configuring private link for your arc machines?

Enabling Azure Arc for your machines involves several network and system requirements. Organizations are sometimes concerned about allowing certain public endpoints through their firewall and proxy. In this context, Private Endpoints can be used to ensure that some connections to Azure remain within the Microsoft backbone network. While this service does not eliminate the need for internet connectivity entirely, you will still need to allow public access for Microsoft Entra ID and Azure Resource Manager servers. However, this method significantly reduces the challenge of IP/FQDN whitelisting for internet access.

When you create private endpoints in a virtual network for Azure Arc, it will create a resource with Azure Hybrid Compute as the target. Additionally, it will create several private DNS zones and assign them to the private endpoint. The private endpoint will have IPs assigned from the specified virtual network address range. See the screenshot below. These IPs are now directly linked to Azure Arc services, enabling private connectivity through Azure

LAB Architectural Diagram

LAB Pre-requisites

An On-premises machine. (Internet traffic can be directed firewall or proxy for security)
On-premises DNS
An Azure Subscription
VPN/Express-route Connection between On-premises and Azure Infrastructure
Understand the Limitations and features

The components that will be created as part of LAB

A private endpoint which has Hybrid compute as source point
Private DNS zones for Azure Arc services
A private DNS resolver in Azure. Azure DNS doesnt accesspt dns queries coming from non-azure sources. Hence you need to configure azure private dns zone . You will get a private IP while creating inbound enpoint for resolver.
DNS Forwarder need to be created in on-premise DNS to private IP of Azure private DNS resolver's inbound IP
Powershell script to onboard machine
Azure arc machine : Will be created once on premise machine gets connected to azure arc.

Traffic flow

There are three kind of traffic flow is involved here.

DNS flow: To resolve the domain names of private endpoints
Private endpoint flow: Actual traffic to Azure arc services
Internet flow: Traffic to Microsoft Entra ID and Azure Resource manager control plane

Private endpoint and private DNS Flow

Let's suppose the Azure Arc agent initiates traffic to one of the Azure Arc services FQDNs, such as gbl.his.arc.azure.com.
On-premises machines need to resolve the FQDN to an IP address, so they send a DNS request to the on-premises DNS server.
The DNS forwarder is configured to send *.gbl.his.arc.azure.com DNS queries to the Private DNS resolver configured in Azure.
The Private DNS resolver receives the DNS query and resolves it, as these domains are already linked to the virtual network where the resolver resides.
Once the on-premises DNS server receives the IP resolution from the Azure DNS resolver, it sends it back to the on-premises machine.
Now that the on-premises machine has the IP (private IP), it sends the actual traffic to the IP of the private endpoint.
The private endpoint receives the traffic, and since this interface is directly linked to the Azure Arc services (the intended destination), the connectivity is successfully established.

Steps:

Generate Onboarding script.
Private endpoint can be created while generating the script itself.
Go to Azure Arc-->Machines-->Create

You can select option which best suited for you. I am selecting Add multiple servers.

Provide Resource Group,Region,OS details.
Create Private endpoint using option provided
Provide Virtual Network and subnet for private endpoint

Provide or create new service principal. Note secret of service principal

Goto Download and run script session. You can copy script and run it directly or you can download script and run it. Please do not forget to update service principal secret in script.

You can verify the resources created as part of Private endpoint created
There will be three private DNS zones created

A private endpoint resource will be created with hybrid compute as target resource

Create a private DNS resolver and inbound endpoint in it.

Provide necessary details.

Add inbound endpoint and click create

Note the private IP of inbound endpoint, which is needed to specify DNS forwarder in on-premise

Configure DNS forwarder in On-premise DNS

Add all three private DNS zone domains

Bypass private DNS zone domains (This step is required if you have internet proxy in your infrastructure.

Now you are all set to deploy script generated in for onboarding

Now you can see the onboarded machine in azure arc portal

Azure Arc Patching

RussMeyer-Epik — Thu, 06 Feb 2025 17:32:44 GMT

Working on getting boxes onboarded with Azure Arc since we are mostly cloud based, but still have a few boxes left on prem. In my lab I am able to enroll and setup patching via Azure without much issue. Via the console it reports stuff running, etc however when checking on the box I dont see the patches via update history or wmic qfe list. But when I check the rev, I see the OS is current (I installed from an ISO that was 12 months old)

Seems like the data is out of sync or just missing locally. Other than Azure Arc's log, is there anyway to validate its working correctly? sorry, just paranoid and want to make sure its solid...

LAB: Onboarding On-premises Machine to Azure Arc by using Proxy as Connectivity Method

Aaida_Aboobakkar — Thu, 06 Feb 2025 15:34:15 GMT

What is Azure Arc?

With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape.

This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure.

LAB Architecture

Lab pre-requisites:

Set up and on-premises environment with an VM and Enterprise Proxy.
An Azure subscription where we can on board machine.
Understand the system, network pre-requisite. Plan Deployment

Please note the hostname as this will show in azure arc portal once you on board machine into azure arc.

Also, you can verify whether proxy is configured using command netsh winhttp show proxy

Note: You don't need to use proxy connectivity option if your internet traffic is already routing via proxy in the network level. You can use this option if you need your agent to communicate via a different proxy which not already configured at network level.

Steps to deploy:

Generate Script to on-board on-premises machine:

Go to Azure Arc-->Machines and Click on Create.

Select an option best suited for you. I am using Add multiple servers Option

Fill the details, provide your proxy sever URL.

Provide service principal already have or create new one.

Provide tags if you need.

Go to download and run script option. Either you can download or copy the script and directly and run it in your machine.

Update Service Principal secret inside script then the script is ready to use.

Run the script in on-premises machine

Go to on-premises machine PowerShell and run script. The script will install the Azure Arc agent and connect the system with Arc control Plane.

Not necessarily these steps need to do by PowerShell. You are having multiple way to connect machine to azure arc. Eg: CLI, API calls etc. Please go through Azure arc documentation to know more.

The following action will take place once you run the script.

Azure Connected Machine Agent Installation
Setting proxy configuration
Connect machine to Azure

Now your machine is onboarded, and you can enjoy all the services in azure. In nutshell you can treat your on-premises machine as azure vm and apply all the related series.

Azure Arc Gateway with Custom internet Proxy: LAB

Aaida_Aboobakkar — Thu, 06 Feb 2025 14:45:06 GMT

What is Azure Arc?

With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape.

This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure.

What is Azure Arc Gateway?

If you use enterprise proxies to manage outbound traffic, the Azure Arc gateway lets you onboard infrastructure to Azure Arc using only seven (7) endpoints. With Azure Arc gateway, you can:

Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
View and audit all traffic an Azure Connected Machine agent sends to Azure via the Arc gateway.

How the Azure Arc gateway works

Azure Arc gateway consists of two main components:

The Arc gateway resource: An Azure resource that serves as a common front-end for Azure traffic. This gateway resource is served on a specific domain. Once the Arc gateway resource is created, the domain is returned to you in the success response.
The Arc Proxy: A new component added to Arc agentry. This component runs as a service called "Azure Arc Proxy" and acts as a forward proxy used by the Azure Arc agents and extensions. No configuration is required on your part for the Arc Proxy. This Proxy is part of Arc core agentry and runs within the context of an Arc-enabled resource.

When the gateway is in place, traffic flows via the following hops: Arc agentry → Arc Proxy → Enterprise proxy → Arc gateway → Target service

Important Note: The Arc gateway feature for Azure Arc-enabled servers is currently in Public Preview in all regions where Azure Arc-enabled servers is present

LAB Architecture

Lab pre-requisites:

Set up and on-premises environment with an VM and Enterprise Proxy.
An Azure subscription where we can on board machine.
Understand the limitations and system requirements: Limitations

Please note the hostname as this will show in azure arc portal once you on board machine into azure arc.

Also, you can verify whether proxy is configured using command netsh winhttp show proxy

Note: You don't need to use proxy connectivity option if your internet traffic is already routing via proxy in the network level. You can use this option if you need your agent to communicate via a different proxy which not already configured at network level.

Steps to deploy Azure Arc Gateway with Proxy

Create an Azure Arc Gateway:

Go to Azure Arc Gateway session, click on create and create an arc gateway

Generate Script to on-board on-premises machine:

Go to Azure Arc-->Machines and Click on Create.

Select an option best suites for you . I am using Add multiple servers Option

Fill the details, provide your proxy sever URL and select arc gateway created

Provide service principal already have or create new one.

Provide tags if you need.

Go to download and run script option. Either you can download or copy the script and directly and run it in your machine.

Update Service Principal secret inside script then the script is ready to use.

Run the script in on-premises machine

Go to on-premises machine PowerShell and run script. The script will install the Azure Arc agent and connect the system with Arc control Plane. The script will take care of proxy direction and arc gateway setting.

Not necessarily these steps need to do by PowerShell. You are having multiple way to connect machine to azure arc. Eg: CLI, API calls etc. Please go through Azure arc documentation to know more. Azure Arc Enabled Servers

The following action will take place once you run the script.

Azure Connected Machine Agent Installation
Setting proxy configuration
Enabling and starting Azure Arc Proxy service
Connection Type will set to 'gateway'
Connect machine to Azure

Now your machine is onboarded, and you can enjoy all the services in azure. In nutshell you can treat your on-premise machine as azure vm and apply all the related series.

WAC in Azure

sparksjoseph1997 — Wed, 13 Nov 2024 23:11:33 GMT

I am looking for info on how to get access to the Windows Admin Center on Azure. I am finally getting back to getting this implemented and thought I read that I can enroll my on-prem servers into WAC on Azure. I want to be able to manage my patching, see vulnerabilities, and also get my Hyper V host workload metrics. Was I reading this in correctly and it still needs to be installed on a local server?