Hi, Jonas here!
Or as we say in the north of Germany: "Moin Moin!"
I’m a Microsoft Senior Cloud Solution Architect – Engineering (or short Sr. CSA-E) and in this article I want to talk about how to automate the hybrid world.
Over the years Microsoft has developed more and more automation tools such as Power Automate, Azure Logic Apps, Azure Functions or Azure Automation. While Azure Automation is not the latest tool in the automation tools family, I dedicate this blog to this amazing tool and hopefully provide you with an easy-to-follow how-to guide.
Table of contents
Azure Automation in a nutshell
Prepare Azure Automation Account
Azure Arc Extension-based (V2) Hybrid Worker setup
TL;DR
What you can expect from this article.
This article is basically a summary of the Azure Automation documentation and a how-to setup of the so-called Hybrid Worker running on a Windows Server. Why a summary of the documentation you might ask? Well, it helps me understand a topic better and it hopefully helps you too.
The main purpose is to learn how Azure Arc, Azure Automation and the Hybrid Worker work together and how to automate the hybrid world.
I chose an example to automate an on-premises task with Microsoft Configuration Manager aka ConfigMgr with an Azure Automation Runbook. But the product ConfigMgr though can be replaced with any other on-premises or cloud service.
I will also give you some runbook examples to be able to see some results as fast as possible.
The blog post does not focus on all the other Azure Automation features besides runbooks but should give you enough information to easily add other features later to expand the automation capabilities.
So, grab a coffee or two and follow along if you like.
(This is part one of a two part series. The link to part two can be found at the end)
Azure Automation in a nutshell
Azure Automation is a set of tools to automate almost anything. Some of those tools are:
- Runbooks
- A script to automate a certain task which can be started in different ways
- (What I will talk about in this article)
- Change Tracking and Inventory
- A solution to detect changes made to your systems and to create an inventory
- Azure Automation State Configuration
- A powerful tool to apply a defined set of configurations to your systems by leveraging PowerShell Desired State Configuration (DSC)
- Update Management
- A solution to schedule update installations on systems
A Hybrid worker in a nutshell
A Hybrid Worker in general is just a machine you manage to run Runbooks on. A Runbook in essence is just a PowerShell or Python script.
A hybrid worker can either be installed on an on-premises machine or a machine running in the cloud.
The Hybrid Worker can help to connect to on-premises resources or can be an option for long running scripts, the need to load 3rd Party software or if you need to interact with local services.
Without a Hybrid Worker a runbook would run in the Cloud in an Azure sandbox.
A full feature list of the Hybrid Worker can be found here: Runbook Execution Environment
Azure Arc in a nutshell
Azure Arc gives you the capability to attach systems and services living outside of Azure to Azure Resource Manager and manage them as if they were hosted in Azure. That gives you the benefit of running your management tasks from withing one management view.
Have a look at the documentation here: Azure Arc Overview
In short: Azure Arc gives you server management capabilities from within one portal.
If you’re looking for a “zero to hero” experience, go to: https://azurearcjumpstart.io and try out different Azure Arc scenarios if you like.
In this blog we will use an Azure Arc enabled server running on-premises as the Azure Automation Hybrid Worker.
Hybrid Worker setup diagram
In the Azure Automation documentation, the old way using Azure Log Analytics is referred to as “Agent-based (V1)” while using Azure Arc for a Hybrid Worker is called the “Extension-based (V2)” setup type.
Since the setup with Azure Arc is much simpler and the preferred method, that’s what I will describe in the next sections.
The setup will look like the below diagram.
- A Hybrid Worker server attached to Azure Arc and attached to an Automation Account
- A service account with limited rights on the Hybrid worker to run a runbook
- One or more machines we choose as the runbook targets to perform certain tasks on
How to follow along
If you want to follow along and try the hybrid worker setup for yourself, all you need is one server running anywhere. The system simply needs internet access to reach the Azure Arc and Automation services.
You can find the different requirements in the following sections of the documentation:
Azure Arc:
Azure Arc Servers Prerequisites
Azure Arc Servers Network Requirements
Azure Automation:
Azure Automation Network Configuration
Note: If you are a ConfigMgr admin and want to try my example script, the server acting as the Hybrid Worker needs to be domain joined and needs to have access to the ConfigMgr infrastructure. It also needs to have the ConfigMgr console installed. But more on that later.
You can also not domain-join the system and follow along. But it limits the demo or test options.
Prepare Azure Automation Account
Let’s start with the Azure Automation Account.
- Login to your Azure Subscription and start by searching for “Automation Accounts” in the above search box.
- Click on “Automation Accounts”
- Click on “+ Create” and create a new “Automation Account”.
- Create a new resource group or choose an existing one.
- Give the account a name and choose a region.
- Leave all other following settings as they are and click on “Review + Create” and “Create”
Create Hybrid Worker group
Before we set up any Hybrid Worker we need to create a Hybrid Worker group.
The group will later contain the Hybrid Worker machine (or multiple machines if needed) and will act as the target for any Runbook we want to start.
- Go to the new Automation Account you just created under: “Azure Portal: Automation Accounts”
- Click on “Hybrid worker groups” and “+ Create hybrid worker group”
- Give the new group a name.
- I set the option to “Use run as credentials” to “Yes”
- Without “run as credentials” a Runbook will run under the local system account. That might not be an issue, but I want to restrict any script-access by using an on-premises Active Directory user and give that user just the rights required to do the job.
- If you also want to use a dedicated user for your runbooks as I do here, create the user in your on-premises Active Directory first! (We will set the required rights later in the process)
- IMPORTANT: The “Username” needs to be in the format “domain\username”
- More about the run as account can be found here: Create Run As Account
- We just need the group for now. So, leave the other options as they are and click on “Review + Create” and “Create”
Azure Arc Extension-based (V2) Hybrid Worker setup
Let’s now add a machine to Azure Arc and finish the Hybrid Worker setup
- Before setting up Azure Arc we need to make sure that the following resource providers are registered for the Azure Subscription:
Microsoft.HybridCompute
Microsoft.GuestConfiguration
Microsoft.HybridConnectivity
Without them the following setup steps won’t work. - Go to Azure Portal: Billing Subscriptions Blade
- Choose the subscription you use for Azure Arc and Azure Automation and click on “Resource Providers”.
- Click on “Register” in case a provider is not yet registered.
- Let’s now setup Aure Arc. Use the search box again and search for “Azure Arc” this time.
- Click on “Servers” and “+ Add” to add your server to Azure Arc.
- There are multiple mechanisms of adding systems to Azure Arc available.
Since we only have a single machine and do not need a broad deployment yet, choose “Add a single server” and click on “Generate script”. - Review the prerequisites and click “Next”
- Select an existing resource group or create a new one (this will be the group your machine will be part of)
Set the region, choose ”Windows” as operating system and click “Next”
HINT: You could add a proxy server to the onboarding script at this step. Us the “Proxy server” connectivity method to do so if you want or need to.
- Click “Next” or set tags of you wish to.
-
Click on “Download” or the “Copy-button” next to it and run the script on the machine you choose to be the Hybrid Worker.
-
The script will download and install the Azure Arc Agent and will open a browser window for authentication.
Use the login prompt to authenticate with a user having Azure Arc rights to attach the system to Azure Arc. -
If everything went well, you should be able to see the server after some minutes in Azure Arc in the “Servers” section:
Go to: Azure Portal: Microsoft Hybrid Compute - Locally on the server we now have the “Azure Hybrid Instance Metadata Service” and the corresponding folder called: “C:\Program Files\AzureConnectedMachineAgent”
- The final step to add this machine as a hybrid worker to Azure Automation is to add the newly added Arc Server to our Hybrid Worker Group.
- Go to: Azure Portal: Automation Accounts
and click on the new Automation Account - Click on “Hybrid Worker Groups”
- Click on the name of the new Hybrid Worker group
- And click on “Hybrid Workers” and “+ Add”
- Choose the newly added Azure Arc server from the list and click “Add”
- The arc server will then be visible in the hybrid worker group as “Extension based V2” system.
- We should also see event ID 15003 “HybridRunbookWorkerStarted” under “Application and Services Logs\Microsoft-SMA\Operational” locally on the server. So, it seems the Hybrid Worker part is running on that machine.
Conclusion
This is it for part one of a two part series. In part two we will go over the steps to create a simple and a more complex runbook and let them run on the Hybrid Worker.
I hope you had fun following along to automate the hybrid world.
Azure Automation and Azure Arc are amazing tools and both can help you automate and simplify server-, process- and service-management. Have fun with them!
Hope to see you at part two: How To Automate The Hybrid World Part Two Of Two
You can also find all my other artilces via: https://aka.ms/JonasOhmsenBlogs
Stay safe!
Jonas Ohmsen
Microsoft Germany
Disclaimer:
This posting is provided "AS IS" with no warranties and confers no rights.