How to Bring Your Home Lab to the Cloud – Azure Arc

azure arc free cloud management

While relaxing on vacation I spent some time reading into Azure Arc. It turns out there is some pretty cool stuff to dive into there. Azure Arc is Microsoft’s method of connecting your on-premises resources to Azure. Azure Arc provides options for configuring, updating and managing your servers right alongside your cloud resources. Since I’ve been on a kick learning more about remote access and cloud-based tools, it seems only fitting to dive in and check out Azure Arc.

I would be mistaken if I didn’t also mention that Azure Arc for Servers is free. Yup, one of the few Azure tools that carries no cost. Sure, there are ways you can get into some cost with Azure Arc, but the basic functionality (including update management) is free. As most Home Lab enthusiasts will tell you, free access to enterprise technology is an awesome thing. We’re going to explore the world of Azure Arc and see what all we can do. Let’s get started.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table Of Contents

Exploring Some Basics with Azure Arc
Enroll the First Server
Next Steps
Conclusion


Exploring Some Basics with Azure Arc

Azure Arc presents administrators with an opportunity to dip their toes in the water when it comes to Azure hosted resources. Where some may find it cost prohibitive to host server resources in the cloud, Azure Arc provides an opportunity to push the management and configuration of cloud based and on-premises hosted resources in a single pane of glass. This also means that you can have servers hosted in non-Microsoft cloud environments, and still manage them from your Azure dashboard. For organizations with multi-cloud environments, this is a game changer.

For me, I don’t have multi-cloud and my lab is humble. However, I love the idea of exploring the capabilities of Azure Arc. Azure Resource Manager has been a huge boost for Azure administrators as it makes automation and configuration much easier and more repeatable. Azure Arc extends that ARM capability to your existing infrastructure. That means that I can learn more about Azure automation and ARM without the cost of spinning up servers in the cloud.

Here are some of the things I’m looking forward to learning more about in Azure Arc:

Update Management

I already have ManageEngine Patch Manager for my update management, but why shouldn’t I consider moving to Azure Update Management automation. Having all my systems in Azure mean that I already have them cloud connected, and I can create Update Management policies that I will use to keep my lab up to date, few things are as frustrating to me as logging into the lab, and getting inundated with missing patches and having to update everything before I can try what I want to try.

This enrollment in Azure Arc can be managed via Group Policy or whatever other tool you might have in place for configuring devices, which means that Update Management can also be added automatically. To me this is a win because you are automating the security posture of your environment making it less likely that things will be missed. I’m looking forward to testing this out in Azure Arc, instead of using my current tool.

Windows Admin Center

I never finished the Blog post, so I never posted it, but last year I started experimenting with Windows Admin Center. I wanted to see how much of a difference it was to have that implemented in my environment. Well, I never finished the post, and never went back to it. However, now with Azure Arc, you can have an Azure Hosted Windows Admin Center environment to manage all of your Azure Arc enabled servers. This seems super cool. This way I don’t have to manage or host it myself, yet I can still have full control over my environment. Plus, since it is cloud based, I can access it from anywhere. This would be a game changer if it works as well as I imagine it to.

With tools like this likely to become more common over time, there is something to be said about staying with Microsoft tools. No one can say that Microsoft isn’t working hard to create the tools that Admins need. Opinions about the quality and usability of those tools will likely vary from Admin to Admin, but no one would say Microsoft isn’t trying. Azure Arc will give me the chance to really dig in and try and test out these tools.

Azure Policy

As the world continues to go more and more towards the cloud, legacy tools like Group Policy are going to be less and less effective. Azure Policy is the modern equivalent of Group policy, and it is something I am anxious to start experimenting with. Like most IT folks, I want to make my life and my job as easy as possible, and in many cases newer tools can do just that. Whether or not it is true with Azure Policy, I don’t yet, but I plan to find out.

*Azure Policy is not free for Arc Servers.. but I will likely test it out all the same…


Enrolling the First Server

Enrolling a single server is easy, and we are going to start there. First, navigate over to Portal.Azure.com and sign in.

Creating the Script

  1. In the search bar, search for Azure Arc. It should take you to the getting started page. Where it says “Add your Infrastructure for free…” click Add to get to the enrollment page. In my case, I am enrolling a server, so I will choose the Servers Option.
azure arc enabled servers
  1. I am going to start with a single server. Click the “Generate script” button to get a script for a single server. This will take us to a page where we can start to configure our settings for Azure Arc enrolled servers.
adding servers to azure arc via various different methods
  1. From here, create or assign a Resource group, region and operating system for this script. Choose an endpoint to match your needs (Private Endpoint will require a VPN tunnel & a Proxy will require a Proxy tunnel). I’m leaving mine as Public for the time being.
  1. You will then be presented with an opportunity to create/assign any tags. Tags are great for organizing reporting and cost management, but for me I left them blank. Hit Next.
  2. Finally, click Download and Run script. Here you will be presented with a script to download or copy. Click Download, then right click the script once it is finished downloading. Go to Properties and uncheck the box to Unblock at the bottom. Hit apply and then OK.

Running the Script

  1. Log into the first server you plan to enroll. Copy the script to the server. Right-click the script and choose ‘Run with PowerShell’. It should run, and then prompt you to sign in. Sign in with the same Azure account you use to generate the script.
  1. Once it is finished, you should see the script complete and close. Navigate back over to Azure Arc, click on “Machines” and check to see if you see your first server.
first azure arc server is enrolled successfully

That is all you have to do. It will take some time to get the inventory finished, and it will want to enable some basic features, but that is all you need to do to get it enrolled. Now we can start talking about what else we should turn on, and what else we should be looking to do.


Next Steps for Azure Arc

From here, you need to have an idea about what you are trying to accomplish with Azure Arc. I mentioned above what I am hoping to learn about, but there are some other things we can turn on to start getting some data out of the system.

VM Insights

One option you can turn on is VM insights. This is a feature of Azure Monitor that enables you to get usage and performance monitoring out of your VMs. HOWEVER, there can be costs associated with this, and if you aren’t careful it can get out of hand. If you are not familiar with the Log Analytics, then I recommend a few things.

  1. Stick to the standard metrics. There is a free tier that allows for ingestion of standard metrics automatically. This means, that when you turn VM insights on, leave it as default, and don’t enable the additional collection (Processes and dependencies (Map)) rules in the workspace.
  2. Keep the data retention settings below 90 days. You can have up to 90 days included in the free tier so as long as you don’t go over that, you should be fine.
  3. If you want the additional data, set a daily cap on the Log Analytics workspace where that data is being stored. This way, the monitoring tools will drop any data after the cap is reached, which will ensure you can’t be charged for more per day than you want. This will enable you to have access to the additional metrics if you wish, without having to worry about whether or not you will be broke at the end of the month.

One important thing to note: There is a limitation to the free tier. Only the first 5 Azure Arc servers will have data collected in the free tier for the “VM Insights Map” feature. See the link for specifics. If you stick to the free metrics, and ignore the Processes and Dependencies data, this shouldn’t become an issue.

Hybrid Runbook Workers

I plan on doing an updated blog post about the new Hybrid Runbook Worker process, but this is another step you can do after you have servers enrolled in Azure Arc. The new V2 Extension based worker allows the Hybrid Worker application to be installed on an Azure Arc server via the Azure Extension. This makes it easier to keep updated and managed and means that you can avoid the clunky installation process of V1. This will be required as part of the Update Management process we will be getting into later, so it is nice to know that the new process will be easy to implement.

Defender for Cloud CSPM Foundational

Boy that’s a mouthful! The Cloud Security Posture Management feature of Defender for Cloud contains 2 tiers. The first one is the one we are interested in, Foundational. The Foundational CSPM tier is free and enabling it only requires three steps. While it doesn’t include everything as the paid tier, it includes a pretty useful amount of features for being a free tool. The idea that Microsoft is genuinely interested in helping people stay secure is much more evident with tools like Foundational CSPM being free.

Turning this feature on is very simple.
  1. First, you need to sign up for the Free 30 day trial for Defender for Cloud. Don’t worry, you have 30 days to make this next change so you don’t get charged (because this can rack up quickly if you aren’t careful).
  2. Once that is enabled, go back to the Defender for Cloud page, and scroll down to “Environment Settings”. Choose this option, pick your subscription and hit Edit settings.
enabling the free tier of defender for cloud for our azure arc servers
  1. Finally, in the list on this page, turn off everything that has a $ Price pre month cost. You’ll notice that the Foundational is always on once you have enabled Defender for Cloud. This is intentional, and how you enable the Foundational CSPM tier. Scroll down the page and turn off anything else with a price if you aren’t interested in paying for it, and save the settings at the top.

If you are going to turn this on, I recommend turning everything off right now. This way as you add resources, they aren’t automatically enrolled in some additional server that you may not want, like Defender for SQL Servers. You can always come back and enable them later. Right now, we are just looking for the Free stuff :).


Conclusion

There is a lot to love with Azure Arc. I plan on continuing to explore as I get deeper in, and I will share my findings as I go along. Anything that allows more experience with modern management tools and new technology is an awesome thing to have access too. Fortunately, Microsoft wants you to spend time learning their environment, so they have provided ways for you to do it at a low or sometimes zero cost. These are long term costs too. The cloud credits can run out or expire quickly depending on what you are using them for. Finding ways to extend the access without incurring charges makes this environment a lot more fun to work in.

What do you think, is Azure Arc something you are interested in? Stick around as I continue to explore, and maybe I can peak your interest. Or perhaps you’ve already done several of these things, but I missed something or forgot to mention your favorite feature. Be sure to let me know so I can check it out for a future blog post. Hit me up on the ‘site formerly known as Twitter’ @SeeSmittyIT to let me know what you thought of this post. Or if you are avoiding the X-bird site, I’m also posted up on Mastodon @[email protected]. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →