Enable Management Services for Azure Arc Machines

A screenshot of a computer AI-generated content may be incorrect.

New Microsoft Azure Arc-enabled server + Windows Server Software Assurance (SA) synergy could save you thousands

Microsoft has released a new hefty package of benefits for Azure Arc-enabled servers that also have Software Assurance (SA). (Read details here.) If you have non-Azure Windows servers, that is, servers on-premises, in AWS, GCP, or any public cloud, in a VMWare, Hyper-V or other private cloud, and physical servers—and those servers have Software Assurance—this article is for you.

This includes these license programs that offer Software Assurance as a fixed benefit: Open Value (OV), Open Value Subscription (OVS), Enterprise Agreement, Enterprise Agreement subscription, Server and Cloud Enrollment (SCE), and all Windows servers under an active subscription license, such as the CSP program.

Making it easier and cheaper to manage and protect non-Azure computers

Several valuable cloud-native server management services (that have costs associated with them) are free for customers that have Windows servers, not running in Azure, that are covered by SA (see benefits in Figure 1). These savings could total up to $11 per server per month, exponentially increasing the value of Windows Server SA licensing and Azure Arc-enabled server technology.

A screenshot of a computer program Description automatically generated

Figure 1 – The Activate Azure benefits fly-out seen when attesting to Azure Arc-enabled server license status.

Note: While this article is focused on Windows Server with SA, which does not apply to Linux machines, many of the management and security features discussed do work wonderfully with Linux OS but carry the normal (non-SA) monthly price and may not have the same user experience to enable.

Azure Arc + SA = Exclusive benefits

These enrichments for Azure Arc-enabled server follow a similar approach we saw last year when Azure Arc-enabled SQL Servers with SA received new and unique entitlements. When Azure Arc-enabled server agents detect that SQL server is running on the computer, an Azure Arc-enabled SQL server resource is automatically created, which thereby allows for installation of Defender for Cloud workload protection for SQL Server.

For SQL servers running outside of Azure that have SA, benefits like Best practices assessment (BPA) and automatic SQL server patching become available. Of highest value to many organizations is the ability to apply Extended Support Updates (ESU) to legacy on-premises SQL servers (with SA), as well as an option for Pay-as-you-go for SQL Server, giving customers for the first time a lightweight cost-efficient way to license SQL server for short periods of time outside Azure.

Azure Arc-enabled servers have also enjoyed the capability to deliver ESUs to legacy Windows versions. In fact, the ability of Azure Arc technology to allow organizations to be flexible in where to run their legacy but business critical workloads is unquestionably of high value.

Turning on Azure Arc-enabled server license benefits

This screenshot (Figure 2) from an Azure portal -> Azure Arc-enabled server page illustrates where you will find benefits that are in scope for the new benefits. Specifically, checking the box at Licenses -> Windows Server -> Azure benefits turns on and/or makes free of charge the other eight (8) indicated features. (With the exception of Azure Site Recovery compute, storage, and ingestion costs and Azure Log Analytics ingestion charges which are billed as consumed.)

A screenshot of a computer AI-generated content may be incorrect.

Figure 2 – Turning on license benefits for a single Azure Arc-enabled server.

You can also turn on Windows Server license benefits for many servers at once from the Azure Arc -> Azure Arc resources -> Machines page as seen in Figure 3.

A screenshot of a computer Description automatically generated

Figure 3 – Activate license benefits for multiple (or all) Azure Arc-enabled servers at once.

Up to 100 Azure Arc-enabled servers can be selected at once, and when you push the Activate Benefits button, you will be given confirmation on how many selected machines are eligible for each available service as seen in Figure 4.

A screenshot of a computer AI-generated content may be incorrect.

Figure 4 – Enabling management services for Azure Arc machines in bulk.

  • Click on a management service eligibility link to see the named list of eligible machines as well as details on why specific machines are not eligible for the selected service (such as the service already being enabled).
  • Click on the Configuration -> Edit button to select the Azure Log Analytics workspace to be used by Change Tracking and Inventory and/or Azure Monitor Insights.

What benefits are included and why you need them

The benefits that are enabled really fall into these three (3) categories:

  • Services that normally cost, are now free:
    • Change Tracking and Inventory ($6 per month)
    • Azure Update Manager ($5 per month)
  • Management services that are exclusively enabled for licensed servers:
    • Remote Support (preview)
    • Windows Admin Center (preview)
    • Best Practices Assessment (preview)
    • Azure Site Recovery Configuration (preview) [Actual ASR replication and storage costs are billed at standard ASR rates.]
  • Existing management and security services that are easier to turn on for individual machines or in bulk:
    • Azure Monitor Insights (VM Insights) [Azure Log Analytics ingestion/storage and Alert Rule transaction costs are billed at standard rates, generally under $5 per machine per month.]
    • Microsoft Defender for Cloud Server Plan 1 [Standard subscription rates apply, $5 per machine per month]

Services that normally cost, are now free

Change Tracking and Inventory

This service includes two beneficial functions. When you enable Change Tracking and Inventory in your environment, you not only have change and inventory data captured on a per-machine basis, but the change and inventory statistics are also aggregated as seen in Figures 5 and 6.

A screenshot of a computer AI-generated content may be incorrect.

Figure 5 – The Change tracking overview page in the Change Tracking and Inventory center.

Change tracking traces changes in files, registry, software, Linux daemons, and Windows services. Records of change in these dimensions are invaluable for forensic investigations (What happened and when?) and can easily form the basis of Azure Monitor alerts and/or Microsoft Sentinel incidents for real-time notification of anomalous changes.

A screenshot of a computer AI-generated content may be incorrect.

Figure 6 – The Inventory overview page in the Change Tracking and Inventory center.

Inventory tracking creates a live database of what software and services/daemons exist in your environment. For example, Figure 6 illustrates an instant software search capability by typing “SQL” in the filter box and sorting all software with the letter “SQL” in the name by quantity of machines where that software is installed.

For details on Change Tracking and Inventory, see this link: https://learn.microsoft.com/en-us/azure/automation/change-tracking/overview-monitoring-agent.

Azure Update Manager

Azure Update Manager (AUM) is a full-featured cloud-native server OS updating solution for all Windows and Linux servers in your estate. While AUM does not yet include a native ability to patch third-party applications, for general purpose Windows and Linux OS updating, AUM can replace any legacy server updating solution you might be using.

AUM can function as a check on another updating solution or be completely responsible for performing scheduled and on-demand OS updates. AUM reports status into Microsoft Defender for Cloud and comprises a key component of determining your Secure Score in compliance scenarios.

When you enable AUM in your environment, you not only have ‘installed and missing update status’ captured on a per-machine basis, but the update statistics are also aggregated as seen in Figure 7.

A screenshot of a computer AI-generated content may be incorrect.

Figure 7 – Azure Update Manager overview page for a large enterprise with both Azure VMs and Azure Arc machines.

To learn more about Azure Update Manager, follow this link: https://learn.microsoft.com/en-us/azure/update-manager/overview.

Cost savings available

Change Tracking and Inventory is free for Azure VMs, but has a per-machine charge of $6 per month for Azure Arc machines. When Windows Server Management enabled by Azure Arc is applied, the cost for Azure Arc machines is the same as Azure VMs: free.

Azure Update Manager is free for Azure VMs, and is also free for servers enrolled in Defender for Cloud Servers Plan 2 (cost: $15 per machine per month) including Azure Arc machines. However, for non-Azure VMs without Defender for Servers Plan 2, a charge of $5 per machine per month applies. For Azure Arc machines with Windows Server Management enabled by Azure Arc, the cost is free.

Bottom line: For non-Azure servers with Software Assurance (SA), turning on Change Tracking and Inventory as well as Azure Update Manager should be a no-brainer. That’s up to $11 per machine per month in cost savings. Examples:

  • A customer with 150 on-premises Windows servers with SA would save $1,650 by turning on Windows Server Management enabled by Azure Arc [($5 + $6) x 150].
  • A customer with 1000 on-premises servers enrolled in Defender for Cloud Server Plan 2, would save $6,000 by turning on Windows Server Management enabled by Azure Arc [$6 x 1000].

Management services that are exclusively enabled for licensed servers

Windows Server Management enabled by Azure Arc makes it easy to enable and manage the below described four (4) services on a per-machine basis. This granular interface to use these services on Azure Arc-enabled servers is a net-new addition to Azure Arc.

Remote Support (preview)

You can use remote support to allow a Microsoft support professional to solve your support case faster by permitting access to your device remotely and performing limited troubleshooting and repair. Microsoft recommends granting access when creating a support ticket. A new session is created each time an engineer connects to your device. See this feature in action in Figure 8.

A screenshot of a computer AI-generated content may be incorrect.

Figure 8 – Remote Support (preview) is a lightweight, inline way for you to grant Microsoft product support engineers to access your non-Azure machine. (Screenshot by Microsoft.)

When you set this up on an Azure Arc-enabled server, the AzureEdgeRemoteSupport VM extension is installed. This feature can save the large enterprise and service providers a lot of time and hassle assisting with the investigation of a support ticket. By creating a shared workspace inside the Azure Portal between administrators and product support, the total cost of ownership of a non-Azure machine (TCO) is reduced.

See this link for Remote Support (preview) detailed information: https://learn.microsoft.com/en-us/windows-server/manage/azure-arc/remote-support-for-windows-server.

Windows Admin Center (preview)

With Windows Admin Center extension in Azure, you get the management, configuration, troubleshooting, and maintenance functionality for managing your Arc-enabled servers in the Azure portal. You no longer need to establish line-of-sight or Remote Desktop Protocol (RDP) to your WAC server–it can all be done natively from the Azure portal. Windows Admin Center (WAC) provides tools that you’d normally find in Server Manager, Device Manager, Task Manager, Hyper-V Manager, and most other Microsoft Management Console (MMC) tools. Figure 9 shows what this looks like:

A screenshot of a computer AI-generated content may be incorrect.

Figure 9 – The Windows Admin Center (WAC) console displayed inside the Azure Portal. (Screenshot by Microsoft.)

When you set this up on an Azure Arc-enabled server, it will install WAC on the selected server, and you will then leverage that server for broader management of your estate by connecting to its interface in the Azure Portal, without needing access to the machine where WAC itself is installed. Read this link for detailed information: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-arc-hybrid-machines

After you’ve installed WAC on your hybrid machine, return to the machine’s Azure Arc page in the Azure portal, and on the Windows Admin Center (preview) page, push the Connect button. The WAC instance will open in the portal, giving you access to the same tools you might be familiar with from using WAC in an on-premises deployment.

Best Practices Assessment (preview)

The best practices assessment (BPA) continuously scans your Windows Server and evaluates the configurations based on Windows best practices. Assessments will be run automatically at the scheduled frequency and can also be run manually at any time. Findings and recommendations of the BPA can be viewed in the Azure Arc machine’s portal page a few hours after initially installing BPA. By default, a new BPA will be run every week on each participating server. A Windows Server Assessment Workbook is automatically enabled by the solution as shown in Figure 10.

A screenshot of a computer AI-generated content may be incorrect.

Figure 10 – Windows Server Assessment workbook automatically populated with findings from the BPA on an Azure Arc machine.

When you enable BPA on an Azure Arc machine, you will need to select which Azure Log Analytics workspace in your environment will store the results of the analysis.

  • The windowsserverassessment VM extension will be installed on the machine.
  • Log Parser v2.2 is required to interpret IIS (W3SVC) and HTTP Error log files during collection.

To learn more about configuring the Best Practices Assessment, see this link: https://learn.microsoft.com/en-us/windows-server/manage/azure-arc/best-practices-assessment-for-windows-server.

Azure Site Recovery Configuration (preview)

Azure Site Recovery (ASR) has been a star of the Microsoft cloud when it comes to high availability, business continuity, and disaster tolerance for some years. Now Microsoft has made it even simpler to get started with ASR for on-premises servers running on Hyper-V virtualization platforms.

When you push the Protect VM workloads button on the Azure Site Recovery Configuration (preview) page of your Azure Arc machine, a wizard will launch as seen in Figure 11.

A screenshot of a computer AI-generated content may be incorrect.

Figure 11 – View of the wizard that can prepare your Azure infrastructure to host a replica of your Hyper-V VM.

After ASR is configured for an Azure Arc machine, you can return to the Azure Site Recovery configuration (preview) page of the Azure Arc machine in the Azure Portal to monitor replication, perform test failovers without disrupting workloads, and run planned failovers of replicated Hyper-V VMs to Azure with zero data loss. For detailed information see this link: https://learn.microsoft.com/en-us/windows-server/manage/azure-arc/azure-site-recovery-for-windows-server

Existing management and security services that are easier to turn on for individual machines or in bulk

Azure Monitor Insights (VM Insights)

Azure Monitor VM Insights is a feature that simplifies monitoring virtual machines (VMs) by providing a quick and easy way to collect and analyze performance data, running processes, and dependencies, offering a streamlined approach to understanding VM health and performance. VM Insights combines Azure Log Analytics, the Azure Monitor and Dependency Agents, Azure Monitor Alert Rules, and Azure Workbooks to deliver a full-featured observability platform.

VM Insights as a premier server monitoring tool is cloud-native and perfectly integrated with Azure Monitor. Figure 12 shows the OS Performance and Capacity workbook of a large production on-premises environment instrumented with VM Insights.

A screenshot of a computer AI-generated content may be incorrect.

Figure 12 – The OS Performance and Capacity workbook populated by VM Insights data for a large on-premises estate.

Turning on VM Insights using Windows Server Management for Azure Arc will deploy the AzureMonitorWindowsAgent and the DependencyAgentWindows VM extensions as well as deploy and configure the Azure Monitor Data Collection Rule (DCR) that associates the machine with the VM Insights performance and network monitoring tools.

To learn more about Azure Monitor VMInsights, consult this Overview: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview.

Microsoft Defender for Cloud Server Plan 1

With Microsoft Defender for Cloud’s Server Plan 1, you can leverage the endpoint detection and response (EDR) capabilities provided by Defender for Endpoint integration. When functional, this enablement will conveniently turn on Defender for Server Plan 1 on the selected Azure Arc machine. Learn more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview.

Key takeaways

  1. Microsoft continues to add to the value of Software Assurance for Windows Server and SQL Server. This is good news for customers with SA.
  2. Microsoft continues to invest in new features and use cases for Azure Arc-enabled servers. Since hybrid cloud architectures are the norm, homogenizing and enriching the management layer for all computers, operating systems, and clouds everywhere is a hyper-scale enabler for organizations of all sizes and topologies.
  3. For customers with non-Azure Windows Servers with SA, the opportunity to save considerable cash while enjoying industry-leading new technology features is a competitive advantage.

#MVPBuzz #AzureMonitor #hybridcloud #AzureHybrid #observability #cloudcomputing #cloudcost

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.