>>Hi my name is Thomas Maurer. I’m a Cloud Advocate at Microsoft
and I’m sitting here with Chang’ from the Azure Management team to talk about Hybrid
Server Management.>>Yeah. Hi. I’m a
Program Manager in Azure.>>Hi. So I speak a lot with customers which are using the
Cloud for compute resources. But most of them or a
lot of them also have servers running in their
private data centers, in their branch offices, or even have other parts in
the organization which they use another Cloud provider or
another service providers. One of the main challenges with all these servers they
have is basically keeping control of all these
servers whenever they are running to make sure
that they are secure, that they are patch, that
they have the compliance. I heard that the Azure
team and especially you are working on something
which helps with that.>>Yeah. Absolutely,
I love to talk about it and I was actually echoing
what you just mentioned. It is indeed a huge challenge. So I had talked to a lot of customers
as well especially they need to manage these very like
Hybrid environments, so we’re all over the place with Application team
trying to just go out, get all the resource they need to. It doesn’t matter which Cloud, they just go in and
deploy things there. IT on the other hand is
trying to understand, oh my gosh, where are all the things? Where are all the data? What happens if
something got breached? Especially now you see the
news all over the place. So this is really something
Azure has always been thinking about and especially services today that already
managing on-prem service. But now with this service, we’re really taking it
to the next step to integrate those servers
more natively into Azure.>>Okay. That sounds fantastic. So when you talk about integrating the service into Azure,
what do you mean by that?>>Yeah. I love to show
you a picture of it.>>Perfect. Thank you.>>Here is how services are
managing these environments. So these services actually, all managed on-prem service today. By the way, I’m calling
the on-prem server but it really doesn’t
matter where they are. They can be on-prem in datacenters, private datacenters, or in
other hosts of the Cloud. But as you can see, all these servers managing the
Azure Virtual Machines through the something called Azure
Resource Manager, short for ARM, and where on the on-prem servers, they really need to figure
out a way to get their code deployed onto those on-prem
servers individually. So as you can see, there’s some disparity between the tube panel and this is really what I mean by natively
integrated into your ARM. Now they get projected as
the ARM resource into Azure. The benefit will be huge. As you can see a lot of
investment went into ARM; like identity, like
RBAC, like policies. Most importantly a lot of
customers really care about compliance and also just regular
management like tag them, show what are my servers
are all in production, those kinds of simple things
are all capable through ARM. So now I have once project
these servers into ARM, I get all these benefit. In addition, all the
services now can be deployed onto Azure as well as
on-prem in the same fashion. So as you can see here, I labeled out this very important
component called Guest Agent. The purpose of this
agent is to manage the lifecycle of these
extensions and we’re following the same model so that now all these extensions can be applied
to on-prem service as well.>>So that’s great. So our servers
show up as Azure resources. They show up in the portal and also
in the Azure Resource Manager, and I can basically treat
them like machines, like I used to do with Azure
Virtual Machines, right?>>Yes. From a
management perspective, that is our central goal. We wanted all these
solutions to manage the servers the same way
for Azure as well as for on-prem and also they
get the same ARM benefit.>>Okay, that’s awesome. So I want to now use that. So can you show me how we
on-board this service to Azure?>>Absolutely, let
me show you a demo. This is a page that we built to show all the on-prem servers that
has been on-boarded to Azure. Essentially to on-board,
the customer need to run a script on the server and to
help to build that script, we actually build a flow in
Azure to generate that script. So this is option that they can click to generate the script
but at the same time, it also recognize is a challenge
for customers to on-board a scale if they have to connect to every single server individually
to run these scripts. So we’re also trying
to understand what are some common on-prem server
management application so we can integrate to help customers to
on-board those machines at scale. For example, here, if
the server is already managed by the Azure updates service, we build actually the script or the runbooks to actually
deploy to on-board those machines onto Azure without actually customers
touching all those machines. But in the future, we’re also
working with, for example, System Center Configuration Manager
and they’re also integrating the on-boarding experience and in addition to Windows Admin Center. So we’ve just keep on
expanding on how customers can on-board to Azure in
a least effort way. But in this case, let me show
you how to generate the script. So as you can see these
are Azure resources. So they follow the same hierarchy as in subscriptions
and resource group. So now you can pick which subscription and resource
group they wanted to go and here the region indicates that which Azure region is running these servers managing
these on-prem resources. So you can see from compliance
or regulatory point perspective, we know where the metadata
is stored in Azure. Physical location is new specifically
for the on-prem servers. This allows customer
to tag the servers or specifically indicate
which datacenter they are in. This is really about
ease of management.>>Okay, that’s pretty cool. So customers could not just add
a name over the datacenters. So they could even like, for example, also add a room of the location or even direct name or direct
number for the server?>>Yeah, absolutely. So this is really for the customer to easily identify
where that resource is. If something happens to that server, they can go if they need
to physically access, they know exactly
where they need to be. Here we also allow customer to
choose the operating systems. I didn’t really specifically
spell it out but as always, in Azure we are trying to embrace
Windows as well as Linux. Same for here that we build two packages for agent to on-board either Windows
Server or Linux server. Understand a lot of customers
for on-prem especially, they don’t want to
expose their servers to the Internet directly and they
put it behind a proxy server. So here in this case our agent
does need to connect to the Azure. If these servers are not
connect to the Azure directly, they can configure the
proxy server here and then the agent will be able to communicate
through the proxy server. This is just an Azure resource
capability so they can tack the servers to indicate
maybe who owns them or whether they
are a part of a team.>>Yeah. This also
means that it’s just like with other Azure
resources, right. So for example in my
environment I tag resources based on production,
development environment, demo environments, and so on; so they can use the same tagging for their basically on-prem servers?>>Yeah, exactly. You got that. In the end here, we generate this script. So now you can take a copy of the script and run it
on the target server. Let me show you exactly
the script content. So the first is really three steps. Once you download the package, but if you actually already
downloaded and put on a file share, you can just change that to copy
it off from that power share. The second command is to
install that package. The last one is the important one here which we’re actually
during the on-boarding. This tool will actually create the ARM resource
and then link back to the agent so that at the end
of the on-boarding process, you will actually see these resource presenting that physical
server in the Azure portal.>>Oh, that’s awesome. So we make it super easy basically
for customers to on-board the servers by basically creating them the script they
need and obviously, I think they can also run the scripts against
multiples of servers if they on-board like not just
one or two servers but maybe hundreds of servers?>>Oh yeah. Absolutely.>>Okay, that’s great. So
now I have my server in the portal and I can see that and manage it using the
Azure Resource Manager, which services can
I actually use now?>>Yeah, let me show you that. So if you click on one of the
resource, as you can see here, we really want to follow the
Azure Virtual Machine model. So you can see the list of
capabilities and as we move forward, we are going to expand on these
management and capabilities. Today we are enabling
two specific services. One we can integrate it with Log Analytics so that
you can actually get the logs added to the resource ID and you can query those
logs in one central place. So let me show you. If I click
on “Logs” I will be able to get all the logs
relevant to this server. Without this, if customer trying
to access a log for a server, they essentially need to go
to the server and figure out which workspace ID connects to, and then come to the portal, find that workspace, and then you can filter based
on the computer name. Now with this integration, you can simply just click here and then get all the logs
belong to the same server.>>Oh, that’s fantastic. So this also helps me like, I see a lot of customers having a different organization parts and some of them are just
really application focused, so I can now just give access
to this specific team to a specific set of
servers and they can just access the locks for the serves?>>Yeah, that’s actually a great
benefit you that mentioned there is in March the monitoring team has released this new capability
called the resource centric RBAC role
access for the logs, and they made it available for
Azure VMs, now with the Hybrid. Now you can also get it
for on-prem service.>>Oh, that’s awesome. So
you also mentioned policies.>>Yeah. So Azure policy is the place where customers can define their compliance and can also
view their compliance status. There’s this particular category of policies called Guest
Configuration policies. You can think of Guest
Configuration Policies almost like group policies but for
servers not domain joined. So there’s a long list of the
Guest Configuration Policies. We made 18 built-in policies today. So you can actually deploy
them right out of the box. But also there is, if you have a
requirement that not built-in, you can actually create
those custom policies and deploy them into
unique environment. With the Guest
Configuration policies, it actually works through
ARM for the Azure VMs. Now with the Hybrid, they can also be monitoring and governing
the on-prem servers. So as you can see, I deployed some of the Guest
Configuration Policies and in one view I can see all
these non-compliant status. If I drill down I notice
the password policy, I have a bunch of
non-compliant services. So let me come here, drill down, then I can see all the servers
that not in compliant. You can see which resource
group they belong to, so you can get an idea
what they are doing. But also here importantly is that, these are Azure Virtual Machines
and these are on-prem servers. So in one view, you get a full picture of all the servers
that are not in compliance.>>Wow, that’s fantastic. So I see all my servers, doesn’t matter where they’re running; if they’re running in Azure,
if they’re running on-prem, in my datacenters, in
my branch offices, I can see them up one single view and I can manage them from Azure?>>Yeah, that’s our purposes
of having Azure to be the one central place and we want to provide the consistent experience.>>So that’s fantastic. So if I’m a customer today, how do I get my hands on this?>>Yes, so we are really
getting the public preview now. So if you follow the
link on the screen, you’ll be able to see
our documentation and the process on how to
enroll with the service.>>Okay. That’s fantastic, and what about the cost for this?>>Oh yeah. That’s a great point. Get a lot of questions on
how much would I pay for it and the good news or
great news is, it’s free. That means that you
don’t actually pay to on-board your machines onto Azure, and you only will pay
for the solutions that you’re going to
deploy onto those servers.>>Well, that’s fantastic news. So thank you very much Chang’. Thank you for being here and showing us this Hybrid
management capabilities.>>Yeah, thank you

A quick look at Azure Arc for Servers!
Tagged on:                                     

Leave a Reply

Your email address will not be published. Required fields are marked *