Microsoft Azure

Hybrid-cloud and Multi-cloud server management using Azure Arc

Govern AWS EC2 instances and On-Premises server all within Azure control plane

Azure Hybrid infographic showing Azure Arc — from Microsoft
Connecting an Amazon EC2 instance and On-Premise windows server to Azure Arc


  • Microsoft.HybridCompute
  • Microsoft.HybridConnectivity
  • Microsoft.GuestConfiguration
Azure Portal: Resource providers screen
az account set --subscription "{Subscription Name or ID}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'
az provider register --namespace 'Microsoft.HybridConnectivity'

Prepare to install Connected Machine Agent

Various workloads supported by Azure Arc
Azure Arc supported workloads
  1. Add a single server. This option will generate a script to run on your target server. You use your Azure login credentials to run this script, and it is probably the most straightforward approach for adding servers one at a time, especially for Windows servers. Just note that with this approach, you need to login with an Azure credential that has the Azure Connected Machine Onboarding role.
  2. Add multiple servers. If using this option, Azure will generate a script that handles authentication through a service principal. With this method, you will first have to have a service principal created. To do this, navigate to Azure Arc > Service Principals and follow through the prompt to create a service principal that you can use to onboard your workload. A service principal is valid for a limited amount of time. When you create the service principal, note down the Client ID and Client Secret, as you will need to put this into the script during onboarding.
  3. Add servers with Azure migrate. If you have a VMWare environment on prem, this is quite a powerful approach to onboard the VMs. This allows you to automatically onboard VMs to Azure Arc with the Azure Migrate: Discovery and assessment tool. This is beyond the scope of this article but if you are interested, I encourage you to check out this article from Microsoft that tells you how to do it.
  4. Add servers from Azure Automation Update Management. This is useful if you want to onboard servers outside of Azure that you already manage using Azure Automation Update Management. This onboarding process automates the download and installation of the Connected Machine Agent using the Add-AzureConnectedMachines Azure automation runbook.
Creating service principal in Azure Arc
# Add the service principal application ID and secret here
# Download the installation package
wget -O ~/
# Install the hybrid agent
bash ~/
# Run connect command
azcmagent connect --service-principal-id "$servicePrincipalClientId" --service-principal-secret "$servicePrincipalSecret" --resource-group "AzArcPoc" --tenant-id "[Az_Tenant_Id]" --location "[Az_Region]" --subscription-id "[Az_Subscription_Id]" --cloud "AzureCloud" --tags "Datacenter=LinuxOnAWS,CountryOrRegion=AWS-ap-southeast-1,GuestOS='Ubuntu 20'" --correlation-id "[Arc_VmId_Guid]"
if [ $? = 0 ]; then echo -e "\033[33mTo view your onboarded server(s), navigate to\033[m"; fi

Install the Connected Machine Agent

Installing Azure Arc Connected Machine Agent on Amazon EC2 instance running Linux Ubuntu 20
Success onboarding of EC2 instance onto Azure Arc

Control Plane in Azure Arc

1x Amazon EC2 instance running Linux and 1x On-Premise Windows server connected to Azure Arc
Overview of Amazon EC2 instance in Azure Arc
  • Monitoring: You can now monitor the performance and health of these servers all within Azure by deploying the Azure Monitor Agent, which will collect performance metrics and logs (event log on Windows and syslog on Linux) and send them across to Azure Monitor. It can send to multiple Log Analytics Workspaces, also known as multi-homing. Once the logs and metrics land in Azure Monitor, they can be viewed, queried and analysed using Log Analytics and Metrics Explorer.
  • Security: Use Microsoft Defender for Endpoint for threat detection, vulnerability management, and to proactively monitor for potential security threats, automatically refresh certificates stored in Azure Key Vault.
  • Simplify operations: Use Update Management to manage operating system updates for both Windows and Linux machines, run configuration or deployment scripts at scale using the custom script VM extension available for both Windows and Linux servers.
  • Governance: you can use Azure Policy to check for compliance of your servers that are running outside of Azure, and use remediation to fix all non-compliant machines. We’ll take a look at an example of this shortly.
Assigning built-in Azure policy to Arc-enabled server
Amazon EC2 Arc-enabled machine showing as non-compliant to assigned Azure Policy
Starting new remediation task to make the Amazon EC2 instance compliant with Azure Policy
Amazon EC2 Arc-enabled server showing as compliant to Azure Policy assigned
Successful installation of Azure Monitor VM extension on Amazon EC2 Linux Arc-enabled server



I.T. Solutions Architecture, Cloud Architecture, Data Architecture

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adi Simon

I.T. Solutions Architecture, Cloud Architecture, Data Architecture