← Back to Dashboard

Design 35: Azure Arc (Hybrid Management)

Summary

This design implements Azure Arc to extend Azure management to On-Premises servers.

Topology: The "Arc Gateway" (Private Link Scope) is deployed in the Hub VNet. On-Premises servers connect via VPN to this Hub to register with Azure securely.

1. Key Design Decisions (ADR)

ADR-01: Connectivity

  • Decision: Azure Arc Private Link Scope.
  • Rationale: Traffic from On-Prem servers to Azure (metadata) goes over VPN/ExpressRoute, not Public Internet.

ADR-02: Governance

  • Decision: Apply Azure Policy.
  • Rationale: Treat On-Prem servers like Azure VMs. Enforce password policies, install Log Analytics agent.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  On-Premises |           |        HUB VNet          |           |  Azure       |
|  Server      |           |      (Private Link)      |           |  Control     |
|  (Linux/Win) |           |                          |           |  Plane       |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (VPN Tunnel)                   |
+------+-------+                        v                                v
|  Connected   |           +------------+-------------+           +------+-------+
|  Machine     |---------->| Arc Private Link Scope   |<--------->|  Azure       |
|  Agent       |           | (AMPLS)                  |           |  Resource    |
+--------------+           +--------------------------+           |  Manager     |
                                                                  +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Subnet: Arc           |                                           |
|   | [Private Endpoint]    |                                           |
|   | (Linked to AMPLS)     |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (VPN)                                                 |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| ON-PREMISES DATACENTER                                                |
|   +-----------------------+                                           |
|   | Server: SQL-01        |                                           |
|   | [Arc Agent]           |                                           |
|   | -> Connects to 10.0.x |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR HUB VNet                                                           |
|   +-----------------------+                                           |
|   | AMPLS (DR)            |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • AMPLS (Azure Monitor Private Link Scope): Bundles all monitoring/Arc endpoints into one Private IP.

5. Strategy: High Availability (HA)

  • Agent: Local agent buffers data if internet/VPN cuts.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Global View.
  • Process: Arc resources are regional metadata. If East US Azure region is down, you can't *manage* the server, but the server itself (On-Prem) is fine.

7. Strategy: Backup

  • N/A: Arc is metadata.

8. Strategy: Security

  • Identity: Each server gets a Managed Identity.
  • RBAC: You can grant "Owner" on the Arc resource to a specific team without giving them admin on the physical box.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: Excellent. Core Arc is Free. You pay for Policy/Defender.
  • Operational Excellence: High. Single pane of glass.
  • Performance Efficiency: N/A.

10. Detailed Traffic Flow

1. Agent: Heartbeat triggers.

2. DNS: Resolves guestconfiguration.azure.com to Hub Private IP.

3. Tunnel: Traffic flows over VPN to Hub.

4. Link: Enters Private Endpoint.

5. Azure: Updates status in Azure Portal ("Connected").

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group

1. Search: "Resource groups" -> + Create.

2. Name: rg-arc-hybrid.

3. Region: East US.

4. Create.

Phase 2: Generate Onboarding Script

1. Search: "Azure Arc" -> Servers.

2. + Add -> Add a single server -> Generate script.

3. Prerequisites: Click Next.

4. Resource details:

* Subscription: Yours.

* Resource Group: rg-arc-hybrid.

* Region: East US.

* Operating system: Windows (or Linux).

* Connectivity method: Public endpoint (Easiest) or Private endpoint (Requires AMPLS setup). Select Public for this lab.

5. Tags: Add Environment: OnPrem.

6. Download and run script: Click Download.

Phase 3: Install on Server

1. Login to your On-Premises Server (or a VM on your laptop/AWS).

2. Run PowerShell as Administrator.

3. Execute the downloaded script (OnboardingScript.ps1).

4. Authenticate: The script will pause and ask you to visit microsoft.com/devicelogin and enter a code.

5. Wait: The agent installs and registers.

Phase 4: Verify Connection

1. Go back to Azure Portal -> Azure Arc -> Servers.

2. Refresh the list.

3. You should see your server name (e.g., WIN-SERVER-01).

4. Status: Connected.

Phase 5: Apply Extension (Monitoring)

1. Click on the Server Name.

2. Extensions (Left Menu) -> + Add.

3. Select Azure Monitor Agent.

4. Create.

5. Select a Data Collection Rule (DCR).

6. Review + create.

* *Result: You can now see logs from your On-Prem server in Azure Monitor.*