Microsoft Azure AZ-800 — Section 10: Manage Windows Server and workloads by using Azure services
73. Manage Windows Servers by using Azure Arc
Now, one of the relatively new features that Microsoft has implemented in the Azure environment is a feature known as the ARK.
Now Ark is a centralized management feature. What the goal of ARK is to essentially have like a single pane of glass that we have on Azure that allows us to interact with our on-premise servers and manage our on-premise servers, as well as manage all of our Azure service services, including not just the infrastructure as a service, but also platform, as a service software, as a service related services as well. And ultimately, your goal here is to just have a central UI central user interface that is hosted in the cloud that’s throughout your Azure portal or used within your Azure portal. That’s going to let you touch and monitor all these different services, whether they be on-premise or whether they be in the cloud and even in a business to business scenario where you’ve got multiple maybe Azure ad tenants that you’re working with. You’ve got a bunch of cross-platform support with this as well. Ultimately, what we’re focused on right now, though, is just managing a Windows server because that’s what they’re wanting us to look at here for what we’re learning now to start. The first thing you want to do is be in Portal Dot Azure .com. We’re going to go to the menu button and then all services. If you just do a quick search on the word arc, you’ll see Azure Arc will show up. And from there, it’s it’s essentially completely free when you first jump in here doesn’t cost any money for you to jump in and in and start playing around. I also would like to warn you that this being a relatively new feature, they’re constantly changing it. No matter how many times I update my videos, I can’t seem to stay ahead of them. They are constantly changing, so your screen might look a little different than what the screen right here looks at. But as you can see here, we can manage various things. They’ve got an infrastructure here Azure Stack, Kubernetes clusters, server SQL servers, all of that stuff is managed and they’re going to be adding additional features as time goes on.
So, you know, they’re watching you watching this video, you might even see some additional stuff here that that you can monitor.
Now, of course, while we’re focused on is the Windows server side.
So, I’m going to click on servers. And as you can see here, I currently don’t have any servers. I can add servers in multiple locations all over the world. I can also manage and monitor my virtual machines that are in Azure.
So this a really cool feature that’s going to let us manage all sorts of things we can, even if were using like a mixed environment. Or perhaps we have a WC Azure Web Services, we could actually add a server through this as well for Azure Web Services.
So this going to give us a lot of control over being able to uch and feel all the different services that we have in our environment and do it again is, as we say, in one pane of glass, one central place is going to let us get access to everything.
Now, if we want to add a server, we’re just going to click Add here and you have a few different options. Perhaps maybe you’re won’t add a single server, you’re going to do multiple servers. They’ve even got the update management feature, which I’m not getting into right now, but I’m going to go with adding a single server. We’re going to say generate script. And then from there you have to know some prerequisites.
So, it’s important to understand the pre of this. First off, you’ve got to make sure that your server has access. They tell you access to Azure services. They’re got to make sure your firewall is not blocking any of that local administrator privileges. And then a connectivity method, you got to be able to get out to the internet or you got to have some kind of an endpoint into Azure or something like that.
So you have to basically a way for Azure to be able to interact with the server.
OK. Also, you have to have a resource group created.
So, if you need to create a research group, you can click the menu and click resource groups and you create a research group that way. From there, you’re going to click next and you’re just going to fill out this template.
So, we’ll select the resource group that I’m going to use the Azure Ads. Or, you know, again, if you don’t have a resource group, you can just create one east us. In our case, the server we’re going to be setting up is for windows, but you also notice you could choose Linux as well and then choose the connectivity method. Is it going to be public? Endpoint meaning is accessible from the internet. Is it a proxy server you’re connecting it through or is it private? Which means that you are. You’ve got maybe a express route connection from your on-premise directly in Azure, or maybe a VPN gateway. In our case, we’re doing public endpoint. We’re going to click next and then we could specify additional tags. We could specify the data center city state. This not required. This mainly just to make it easier for you to do searches.
So, you know, I might say, OK, well, this the NYC data center that we have and it’s located in NYC and the state is. Will just say New York. And then, of course, you can specify country all this additional stuff, if you want it, I’m just going to leave the rest of it blank, I’m going to click next. And then from there we can copy our script here and also register our service. We’re going to copy the script, which we could run on the server. You can also, if you want, you can also click Download, right? But I’m going to click Register and we click the register button. And as you can see, it’s processing. We got the download the script if we want to download it. All right, so there it is. As using Windows is going to kind of warn you on that, if you want to open the file up, you can. And that’ll open it up in a notepad for you. All right.
So then from there says open a PowerShell console to run the script. All right. And they tell you to run the above script on the server that you’re onboarding for Azure Arc. The script can also onboard multiple servers. Note that those servers will be assigned to the same subscription resource group and region. The script will do the following it’ll download the agent, install the agent on server and then create the Azure Arc enabled server resource and associate the agent.
OK. And so those are the steps that are needed in order to onboard your server.
So now opening up the PowerShell ISC, which of course you have on your server, you can just do a search for the word ISC and you’ll see PowerShell. I see and I just pasted the script in there. At that point, I’m just going to hit the play button here, and it’s going to begin trying to play the screen. As you can see, it’s installing the Azure connected machine agent, downloading the agent package. All right. And so from there, it’s going to go ahead and make this connection.
So after a couple of minutes, you’ll you’ll notice that it finishes up here and then it tells you to sign in use a web browser to connect to a page to the page, and it gives you the link here. And it says, enter the code right here.
So, if we open up our web browser. And we just paste this in. Microsoft .com slash device log in. And then it wants the code.
So, we’ll go over here, just I’m just going to copy the little code. All right, and then we can paste that in. All right.
So notice it is showing that there’s an authentication request going through, but I’m going to go ahead and click next. All right, and then of course, it wants to know your authentication info.
So, I’m going to authenticate now. Put my credentials in.
OK, Azure connected machine agent, you’ve now signed in and says you may close the window now, so, we’ve officially finalized that connection.
Now the way you’ll know you’re done is you’ll get this little yellow message right here letting you know, by the way, it may ask you to enter in a different code to authenticate as well.
So you may have to do that a couple of times, but eventually you’ll get this yellow message here. And then all you got to do now was jump over to the art service in Azure and take a look.
So here I am on Portal Dot Aracoma. Just over here on all services are just going to do a quick search on ARC. We’re going to click on Azure Arc and then we’re going to click servers and it should show up if it doesn’t give it a couple of minutes and it should eventually show up, and then we can click on the server. And as you can see, we have management capabilities involved here that we can play around with involving our server, including extensions, policies. A lot of interesting little things here we can kind of look at for the management monitoring our servers, which are not getting into in this particular video.
74. Assign Azure Policy Guest Configuration
Now, once you’ve configured arc and assigned some servers that you’re going to manage, there’s a nice little feature that we have with ARC that allows us to deploy policy related settings out to our machines, whether they be virtual machines that are hosted in Azure or whether they be servers that are hosted on-premise. We can actually deploy these policies out that we have within Azure. These guest policies.
So do this. Here we are on Portal DIALOGICAL. We’re just going to click them and you go to all services and just do a quick search on the word arc. Then you can go on Azure Arc and I’m going to go to server servers blade here. And there is my server that I’ve already added, which is NYC Server one. I’m going to click on that and then from there I can click on the policies blade.
So this where I can apply these these policies now, a couple of different options. You can assign a single policy at a time or you can do what’s called an initiative. An initiative is a group of policies that you want to assign.
So, instead of just one one policy at a time, you want to assign, if you wanted to do multiple, you can do an initiative. In my case, I’m going to go to assign policy here. And then from there, it’s going to let me choose which policy I want, and I’m just going to click the little live symbol right here. All right. And there are 873 policies you can choose from. I’m just going to search for the word server and we’ll kind of scroll down. And we’ll find a policy, maybe, that we want to apply. Like, how about this one? Windows Web server should be configured to use secure communications, So, we’re going to require that our web server uses secure communication, So, we’re going to select that. All right. And then from there, we’re going to go ahead and enforce this. It’s going to be enforced. We’re going to click next. If there was any additional parameters that need to be specified, like identified, this what would show up in the parameters area. In this case, there isn’t any additional parameters, any additional things that need to be specified. To turn this policy on. We would click next and we have the option to do remediation.
So another cool thing about this it involves compliance, which tells you if some of the policies can do remediation where they can turn something on or turn something off, some of them will just tell you if something’s not compliant.
So, in this case, I can. I can do that. And it tells you that by default, this assignment will only take effect on newly created resources. Existing resources can be updated via remediation task after the policy is assigned and they tell you for deploy, if not exist, policies. The remediation task will deploy the specified template, which essentially means that if this policy, if this feature is not turned on, you can forest it to be turned on.
Now it also tells you that it has managed identities as policies with the deploy if not exist, and modify effect types need the ability to deploy resources and edit tags on the existing resources, respectively to do this. It says choose between an existing user assigned manage identity or creating a system assigned manage identity. All right, in this case, I’m going to say create a managed system identity. This all right type of managed identity, identity system, assign, manage identity. Or you could specify an individual or specific user that’s going to do this.
OK. If I want. In this case, I’m just going to say system assigned for east us, and then at that point, we’ll click next. And he also, If if this not compliant, you also can get a message that says, OK, this feature is currently not turned on. And so you can have a message that pops up under compliance, which I’ll show you where that’s at just a moment.
So then I’m going to click on review and create, and we’re going to go ahead now and click to create. All right. Once this created, it can then be applied down to that server, and what’ll happen is you’ll notice right now that it’s the compliant state is not started, but eventually and let me warn me this can take a while, it can take over an hour. And if you’re doing this in a trial in it, it can even take longer. If you’re doing it in a production environment, you can usually take about an hour if you’re doing it in a trial tenant like I am going to even take a longer than that, but eventually this can be applied. Then it’ll let you know the compliance state once it’s applied and the policy will eventually take effect.
75. Deploy Azure services using Azure VM extensions on non-Azure machines
Another great feature that we have with ARK is the ability to deploy extensions, extensions or additional little pieces of software or agents that we would like to have deployed down to our on-premise servers in order to allow an additional feature, perhaps that the server doesn’t support. Let me show you this, So, it’s a whole lot easier if you just see it.
So here we are on Portal Dot Azure .com. Go to all services, do a search on Arc or go into Arc here, and then from there, click on servers and we’re going to click on server that I’ve already added, which is NYC Server one. And then from there there’s a blade called extensions, and then I can click Add, and here are the extensions that are currently available. Microsoft will eventually add additional extensions. In fact, you by the time you see this video, you might they might have added some additional ones. But currently these are the three.
So, I can do a custom script extension. This going to allow me to create a script that gets injected into the server and gets ran on the server. You have a log analytics agent. This going to be the little agent that gathers log datand can send it to something called log analytics. And then you’ve got SQL Server extension. That, of course, is going to install. The little agent for SQL servers is services as well, involving Azure. In my case, I’m going to click on custom script extension and then I’m going to go ahead and click Create, and it’s going to let me. Go ahead and add that custom script in which at that point, if I wanted to write a script that’s going to be injected into the server, I can do that.
So currently I’m on my NYC server one, and I just wanted to show you something. Currently, if I go to server manager and I go to manage admirals and features and I click next and I look at my roles, DNS is not installed, right? And if I actually go to PowerShell, so, I’ll just go to PowerShell on the computer and we can run a command that will show us if DNS is there. Get Windows features. We’ll say DNS and you can see that DNS is not a factor. You just get Windows features in general. You can see every thing that’s currently installed on the machine, which, as you can see, there’s a lot that’s not installed, which of course, is uncommon for DNS being the main thing I wanted to kind of point out.
So what I’m going to do is I’m out here on the ISC and I’m just going to type install -Windows Feature Dash, name DNS, and I’m just going to save this. We’ll just save it to my desktop.
OK, so, I just saved it to my desktop, and we’re going to pop back over into Azure Arc now.
So now I want to add my script. I’m going to click Browse and I’ve got to create a storage account. Storage account is a resource in Azure that’s going to let you store your information, so, I’m going to click to create a storage account. I’m just going to call this temp storage for exam lab practice.
OK. Actually, that’s too long. The names list to say exam practice. And maybe it’s still too long with names or say, exam LP, there we go to stores, for example, if he knows, it can also cavity capitalize characters. Any of that standard storage resource group is as your ADC rg minimal TLS 1.2. That’s fine. We’ll click OK. All right, So, it’s going to go ahead, initiate creating the storage account once the storage account is officially created. We can then upload the script.
So again, why are we doing this? We’re doing this because Azure is going to require us to be able to store this script and you’ll even notice performance wise and it’ll tell you that you get you can get a higher level of performance if you go a premium. Don’t forget that in Azure, you can always look at the calculator for cost.
So, if you actually go here to Google, you can type Azure calculator. If you’re concerned about cost, you can go to the pricing calculator and you can find out what it’s you know what the cost is going to be. Here’s storage accounts right here.
So you can add stores, accounts and click view, and you can kind of look at it how much the monthly cost is going to be, OK? And so that’s what all that’s going to involve. All right.
So here’s our storage account right here. We’re going to select that storage account. And then from there, it’s going to make me create a little container, which is just like a little folder for it to be stored in. I’m going to call this little container scripts OK and then from there will click, create and select that as my location, and we’re going to upload the script. All right, so click here. And I just added the script. Click Upload, and the script is now officially added. All right, will select the script that we want to sort to send to the extension. All right. And that’s it. We got the script there, we’re going to click, review and create. And create.
Now, after about, I would say, maybe 20 minutes or more. Keep in mind that if you got a trial attendant like I do, it can take longer, but usually about 20 minutes. This should all take in effect and back over here on NYC Server one. And I’m going to go to the server manager and we’ll just go right here to admirals and features next. Next, next. And as you can see, DNS has been installed because of that script. In fact, I can also type get Windows feature. Name DNS and it should have the little X, and it does, so, we know that our script did go through successfully and that is how you can use the arc extensions.
76. Manage updates with Azure Update Management and Integrate Log Analytics
Transcript Now there’s a lot of us it people are aware of. One of the necessary evils that we’ve always had to deal with in most all of our environments over the years is updates right? Updates are usually a thorn in everybody’s side. We have to have updates going out to our clients. We have to have updates going out to our servers. We’ve got a lot of us have mixed environments, we have Windows, we have Linux, you know, we’ve got all these different services going on. And unfortunately, all the services have to be updated at the bare minimum, they have to be updated for security purposes.
So Microsoft has a really great feature that they’ve introduced into Azure, and it’s called Azure Update Management, and it works with AAC as well. And the idea of update management is we can deploy updates to our virtual machines that are hosted in Azure. We can deploy updates also to our on-premise machines that are tied through the help of Azure arc. And so, we can also with the help of all of this, not only can we deploy updates to windows, we can also deploy updates out to our Linux machines as well, whether they be virtual, whether they be physical machines, as long as they are tied in with with ARC, we can actually deploy these updates. And so, I want to show you a little bit about that. First thing to do is just show you how to get things.
77. Integrate Windows Servers with Defender for Cloud formally Azure Security Center
Now, something that’s very important to us in pretty much all aspects of both on-premise as well as cloud is obviously the focus on security, and it’s important for Microsoft to provide us with a way to integrate all of our security services and be able to monitor the goings on in our both our cloud environment, as well as our on-premise environment involving security.
So Microsoft actually done that. Microsoft, they created a feature called the Azure Security Center. But I want to also show you that the name has changed just recently. It’s now known as defender for Cloud.
So to manage the Microsoft Security Center, the way the Azure Security Center, the way we would do that generally was, we would just go here to the menu button. We’d go to Azure Active Directory. From there, we can click on the security blade down here, here on the left. Though, to security and then once we get into security, there was an option here called security center.
So, if we click on that security center option here, you will notice that they’re now saying Microsoft Center for Cloud.
So eventually they’re going to probably change this over to where you just go straight into defender of the cloud. But at the creation of this video, this the way that it it worked.
So from there, we can click on Microsoft Defender for Cloud and we can go straight into the. The portal, which again was formerly known as the security center, pretty much looks the same as it did. Ultimately, you know, they’ve just done a lot of this. A few things have been renamed, but they’ve they’re trying to essentially create this all in one place right here in Azure, where we can see security related items involving our on-premise services as well as our Azure services.
Now, one thing to consider here is once you get into Microsoft Defender for Cloud the first time, you can click on getting started and you kind of scroll down a little bit. It’ll talk a little bit about the cost here.
So, if you look here to the right, you can see what the cost is to use Microsoft Defender for cloud.
So, in my case, I’ve got three servers it mentions here 15 dollars per month per server. I don’t have any of these other services. I do have a storage account warns you how much that will be per transaction.
So the only thing I kind of warn you about here is just to understand cost that’s going to be involved here when you want to utilize the server.
OK. And so right now, it’s telling you that you can get started with a 30 day free trial and there’s some reading material there you can look at. And then when you’re ready, you can click on the upgrade here and it tells you that it’s going to start your trial. All right. And so you get that 30 day free trial will cost you anything just to just to get started with it.
Now you can go ahead and click on install agents. And of course, that’s going to make sure that the agents are deployed via the log analytics for the machines that are tied to your log analytics that we’ve looked at in a previous discussion.
So from there, once I do that, I can click on Overview here and I can see gives me kind of a quick glimpse of everything. Including some of the most prevalent recommendations. Regulatory compliance workload protections. You know, a lot of this stuff, you can click on and examine it, but you can also go a little deeper and go down here to secure score. And Microsoft is going to kind of break down everything for you on the secure score. They can also give you an overall score eventually. You know, this can take a little while for it kicks in, but it’s kind of neat because what they’ll do is they’re going to rank your environment against other environments that are around the same size as yours based on how many machines and things like that you got.
So eventually you’ll see that they’re up here, and then you can also click on view recommendations, and it’s going to give you some recommendations on things you can do to improve your score.
So, if I scroll down, I could see all these different things, these different recommendations that that it’s given me.
So things like virtual machines should encrypt disk log analytics agent should be installed on all virtual machines.
So lots and lots of stuff here that I can take a look at, and I can also click on that, and it’s going to give me even more information. It’s going to essentially give me a description of what needs to be done and a lot of cases. It’ll also tell you step by step on what you can do to improve it.
So this really, really awesome. The fact that it can do this like vulnerability assessment and tell me the things that are weak in my environment, both in the cloud as well as on-premise. I can also look at security alerts if I have any security alerts by clicking on the security alerts blade. Once that loads up, you’ll see some additional information. Once once this has been out there for a while and security assessments and all that have been ran in your environment again, this does take time. Once those security systems have been ran, you’ll get information such as severity level lets you know what the alerts are or kind of alerts. It’s discovered all that fun stuff and. If you want. You even have the ability to download this information to a little CSB file, which is like a little spreadsheet. All right.
So some pretty neat, neat little things here you can play around with and can get a feel for. The main thing to be aware of here is that Security Center is now the defender for cloud that it can. It can be integrated with the help of log analytics. It can be integrated with your Azure virtual machines, as well as your on-premise machines. And then from there you’re able to generate nice little reports and get a good feel for the objects that you are that you’re managing and if there’s any kind of security issues that are involved. All right.
So looking over here on inventory, as you can see, I can see all the devices, the virtual machines, physical machines that are associated here. And I’ve got both. I’ve got a couple of virtual machines. Currently, the monitoring agent is not installed on those. I’ve got my physical machine, which I do have it installed from a previous look. We installed log analytics in a previous lesson, but my virtual machines here, as you can see, these virtual machines currently don’t have it. I can click on those. And even as you can see, it takes me to resource health here and also, of course, notice it says Preview. Any time you see that we’re preview, just remember that they’re they’re still working on this. This not finalized yet, but as you can see, it says the monitoring agent is not installed this virtual machine. That’s because I haven’t associated it yet with with log analytics, but you can see how to do that. A previous lesson. But all in all, this a really great capability, really great feature. The only thing a warning about is just make sure that that you know, your 30 day trial. You can get rid of this after the 30 days. If you want that way, it’s not hitting your child in it.