Announcing General Availability: Windows Server Management enabled by Azure Arc
Windows Server Management enabled by Azure Arc offers customers with Windows Server licenses that have active Software Assurances or Windows Server licenses that are active subscription licenses the following key benefits: Azure Update Manager Azure Change Tracking and Inventory Azure Machine Configuration Windows Admin Center in Azure for Arc Remote Support Network HUD Best Practices Assessment Azure Site Recovery (Configuration Only) Upon attestation, customers receive access to the following at no additional cost beyond associated networking, compute, storage, and log ingestion charges. These same capabilities are also available for customers enrolled in Windows Server 2025 Pay as you Go licensing enabled by Azure Arc. Learn more at Windows Server Management enabled by Azure Arc - Azure Arc | Microsoft Learn or watch Video: Free Azure Services for Non-Azure Windows Servers Covered by SA Powered by Azure Arc! To get started, connect your servers to Azure Arc, attest for these benefits, and deploy management services as you modernize to Azure's AI-enabled set of server management capabilities across your hybrid, multi-cloud, and edge infrastructure!Announcing Preview of Run Command on Arc-enabled servers
We are excited to announce the Public Preview of Run Command on Azure Arc-enabled servers. This feature is a game-changer for remotely and securely managing your Azure Arc-enabled servers. You can start using Azure CLI or API for Run Command today, without requiring any additional extensions or configurations, and at no additional cost.Simplify certificate management of on-prem IIS server with Azure Arc & Azure Key Vault VM extension
One common question which I’ve come across is certificate management for web servers. Usually when servers are hosted on Azure there are ways like storing certificates and secrets in Azure Key vault is a viable solution. I’ve come across customers who’re running servers in hybrid and few servers would still remain on-premises because of dependencies. For these web servers managing certificates is a costly affair. Common practice which I’ve seen is admin sharing the certificate with application team on some file share. This has few disadvantages. Storing the certificate in file share or on email. Based on the number of application team a lot of team gets access to certificates. Manually applying updated certificates once the expiry is near also finding which all servers this certificate is being used is a pain if you’ve a big environment with lots of web service. One better way to handle this scenario is to Store certificate in Azure Key vault centrally and Arc Enable the web server. One last step which will do the magic is Azure Key vault VM Extension. Which can be enabled on Arc Server as extension. This setup provides the advantages below. All the certificates are stored centrally in Azure Key Vault which is protected. No application team has got manual access to certificates, on-prem server will pull the certificate based on the managed identity assigned via Azure Arc. Once the cert expiry is near Admin/app team need to just goto Azure Key Vault and update the certificate with the latest version. Azure Key vault VM Extension will pull the latest certificate and apply the same to the website. $Settings = @{ secretsManagementSettings = @{ observedCertificates = @( "https://keyvaultname.vault.azure.net/secrets/certificatename" # Add more here in a comma separated list ) certificateStoreLocation = "LocalMachine" certificateStoreName = "My" pollingIntervalInS = "3600" # every hour } authenticationSettings = @{ # Don't change this line, it's required for Arc enabled servers msiEndpoint = "http://localhost:40342/metadata/identity" } } $ResourceGroup = "ARC_SERVER_RG_NAME" $ArcMachineName = "ARC_SERVER_NAME" $Location = "ARC_SERVER_LOCATION (e.g. eastus2)" New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings) For auto renewal of certificate, we’ll need to enable IIS Rebind. This is how Arc VM Extension looks like when it’s enabled. Assigning permission to Arc server to fetch the certificate from keyvault. You can use access policy on Keyvault as well, it’s supported. Versions of the certificate/new certificate can be uploaded from key vault certificate blade and looks like below. If you’re renewing certificates and wanted to see if certificates are getting pulled down properly or not you can check error logs located here. C:\ProgramData\Guestconfig\extension_logs\Microsoft.Azure.Keyvault.keyvaultforwindows If you’re running Azure VM similar thing can be achieved : https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows Cert Rebind in IIS: https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85 Visit my Blog: https://www.azuredoctor.com/ Public blogpost: https://www.azuredoctor.com/posts/arc-keyvault/Announcing HCIBox support for Azure Stack HCI 23H2
Not a day goes by without the Jumpstart team being asked "When is HCIBox 23H2 coming?" You want to get hands-on with Azure Stack HCI 23H2 and the new cloud deployment, lifecycle management capabilities, and out-of-the-box Arc-enabled services. We have heard the demand loud and clear, and the wait is now over!Azure Best Practices delivered to machines anywhere with new Azure Arc and Automanage integration.
Tired of manually onboarding and configuring Azure services for your Arc-enabled servers? With Azure Automanage Machine Best Practices, you can point, click, set, and forget to extend Azure security, monitoring, and governance services to servers anywhere.Announcing the General Availability of the Azure Arc Gateway for Arc-enabled Servers!
We’re excited to announce the General Availability of Arc gateway for Arc‑enabled servers. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc. What’s new: To Arc‑enable a server, customers previously had to allow 19 distinct endpoints. With Arc gateway GA, you can do the same with just 7, a ~63% reduction that removes friction for security and networking teams. Why This Matters Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway: Accelerates onboarding for Arc‑enabled servers by cutting down the proxy/firewall approvals needed to get started. Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure. How Arc gateway works Arc gateway introduces two components that work together to streamline connectivity: Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint. Azure Arc Proxy (on every Arc‑enabled server): A component of the connected machine agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required. At a high level, traffic flows: Arc agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service. Scenario Coverage As part of this GA release, common Arc‑enabled Server scenarios are supported through the gateway, including: Windows Admin Center SSH Extended Security Updates (ESU) Azure Extension for SQL Server For other scenarios, some customer‑specific data plane destinations (e.g., your Log Analytics workspace or Key Vault URLs) may still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. Over time, the number of scenarios filly covered by Arc gateway will continue to grow. Get started Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell. Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall. Onboard or update servers to use your Arc gateway resource and start managing them with Azure Arc. For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. You can also watch a quick Arc gateway Jumpstart demo to see the experience end‑to‑end. FAQs Does Arc gateway require new software on my servers? No additional installation - Arc Proxy is part of the standard connected machine agent for Arc‑enabled servers. Will every Arc scenario route through the gateway today? Many high‑value server scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. When will Arc gateway for Azure Local be GA? Today! Please refer to the Arc gateway GA on Azure Local Announcement to learn more. When will Arc gateway for Arc-enabled Kubernetes be GA? We don't have an exact ETA to share quite yet for Arc gateway GA for Arc-enabled Kubernetes. The feature is currently still in Public Preview. Please refer to the Public Preview documentation for more information. Tell us what you think We’d love your feedback on Arc gateway GA for servers—what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.
