diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json new file mode 100644 index 000000000..93b022c99 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json @@ -0,0 +1,347 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataCollectionRuleName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the data collection rule to create." + }, + "defaultValue": "DCR-ChangeTracking" + }, + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data." + } + } + }, + "variables": { + "subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]", + "resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]", + "workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]" + }, + "resources": [ + { + "type": "microsoft.resources/deployments", + "name": "get-workspace-region", + "apiVersion": "2020-08-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "workspaceLocation": { + "type": "string", + "value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]" + } + } + } + } + }, + { + "type": "microsoft.resources/deployments", + "name": "CtDcr-Deployment", + "apiVersion": "2020-08-01", + "properties": { + "mode": "Incremental", + "parameters": { + "workspaceRegion": { + "value": "[reference('get-workspace-region').outputs.workspaceLocation.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceRegion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-04-01", + "name": "[parameters('dataCollectionRuleName')]", + "location": "[[parameters('workspaceRegion')]", + "properties": { + "description": "Data collection rule for CT.", + "dataSources": { + "extensions": [ + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "extensionName": "ChangeTracking-Windows", + "extensionSettings": { + "enableFiles": true, + "enableSoftware": true, + "enableRegistry": true, + "enableServices": true, + "enableInventory": true, + "registrySettings": { + "registryCollectionFrequency": 3000, + "registryInfo": [ + { + "name": "Registry_1", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup", + "valueName": "" + }, + { + "name": "Registry_2", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown", + "valueName": "" + }, + { + "name": "Registry_3", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "valueName": "" + }, + { + "name": "Registry_4", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components", + "valueName": "" + }, + { + "name": "Registry_5", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers", + "valueName": "" + }, + { + "name": "Registry_6", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers", + "valueName": "" + }, + { + "name": "Registry_7", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers", + "valueName": "" + }, + { + "name": "Registry_8", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", + "valueName": "" + }, + { + "name": "Registry_9", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", + "valueName": "" + }, + { + "name": "Registry_10", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", + "valueName": "" + }, + { + "name": "Registry_11", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", + "valueName": "" + }, + { + "name": "Registry_12", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions", + "valueName": "" + }, + { + "name": "Registry_13", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions", + "valueName": "" + }, + { + "name": "Registry_14", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + "valueName": "" + }, + { + "name": "Registry_15", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + "valueName": "" + }, + { + "name": "Registry_16", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls", + "valueName": "" + }, + { + "name": "Registry_17", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "valueName": "" + } + ] + }, + "fileSettings": { + "fileCollectionFrequency": 2700 + }, + "softwareSettings": { + "softwareCollectionFrequency": 1800 + }, + "inventorySettings": { + "inventoryCollectionFrequency": 36000 + }, + "servicesSettings": { + "serviceCollectionFrequency": 1800 + } + }, + "name": "CTDataSource-Windows" + }, + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "extensionName": "ChangeTracking-Linux", + "extensionSettings": { + "enableFiles": true, + "enableSoftware": true, + "enableRegistry": false, + "enableServices": true, + "enableInventory": true, + "fileSettings": { + "fileCollectionFrequency": 900, + "fileInfo": [ + { + "name": "ChangeTrackingLinuxPath_default", + "enabled": true, + "destinationPath": "/etc/.*.conf", + "useSudo": true, + "recurse": true, + "maxContentsReturnable": 5000000, + "pathType": "File", + "type": "File", + "links": "Follow", + "maxOutputSize": 500000, + "groupTag": "Recommended" + } + ] + }, + "softwareSettings": { + "softwareCollectionFrequency": 300 + }, + "inventorySettings": { + "inventoryCollectionFrequency": 36000 + }, + "servicesSettings": { + "serviceCollectionFrequency": 300 + } + }, + "name": "CTDataSource-Linux" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "Microsoft-CT-Dest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "destinations": [ + "Microsoft-CT-Dest" + ] + } + ] + } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", + "location": "[[parameters('workspaceRegion')]", + "apiVersion": "2015-11-01-preview", + "id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]", + "properties": { + "workspaceResourceId": "[parameters('workspaceResourceId')]" + }, + "plan": { + "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", + "product": "OMSGallery/ChangeTracking", + "promotionCode": "", + "publisher": "Microsoft" + } + } + ] + } + } + } + ] +} diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md new file mode 100644 index 000000000..b757f5633 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md @@ -0,0 +1,29 @@ +# Overview +As a coach (or participant) you might need to have some VMs available which you can use in this microhack to onboard via Arc to Azure. This folder provides scripts and templates to quickly create such VMs. As deployment platform Azure IaaS will be used. Azure VMs need to be [reconfigured](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine) in order to simulate on-prem VMs, so that the Azure Guest agent does not interfere with the Azure Arc agent. The scripts to reconfigure this are included in the ```create_vms.sh```. + +For each partipant, you will need one Windows and one Linux VM. You can provide the number of participants in the script. The script will then create 1 Windows 2019-datacenter-gensecond and 1 Ubuntu 20_04-lts-gen2 VM for each participant. + +## Deployment instructions +Open a bash shell and login to Azure: +```shell +az login +``` +Make sure you are using the subscription you intent to (if not, set it to the correct subscription: ```az account set -s ```). + +Open the file ```create_vms.sh``` in an editor and adjust the parameters as needed. + +|Parameter |Description |Default value | +|----------------- |---------------|------------| +|resourceGroupName |The name of the resource group the VMs willl get deployed to. Will be created if not existing|rg-on-prem-vms| +|resourceGroupLocation |Azure region where your resource group will be created in|germanywestcentral| +|adminUsername |local admin/root account in your VMs (will be the same for all machines)|MHAdmin| +|adminPassword |local admin/root password (will be the same for all machines). Use a password which honors complexity rules for Windows & Ubuntu|SecretP@$$W0rd| +|number_of_participants |Adjust this to the number of participants in your cohort. For each particpants 2 VMs are created|10| +|regions |An array of regions to which you want to deploy. If using a Sponsored subscription, you might have core limits per region. If providing more than one region in the array, the script will iterate through the regions and distribute the VMs evenly to the named regions. 1 Win and 1 Linux VM will be deployed to a region before moving on in the iteration|("germanywestcentral" "northeurope" "swedencentral" "francecentral" "westeurope")| +|virtualMachineSize |You can adjust the VM size if needed|Standard_D2ads_v5| + +Save the file. Make sure the shell script has execution permission in your directory (if not add it: ```chmod +x create_vms.sh```). Now, execute the shell script +```shell +./create_vms.sh +``` + diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh new file mode 100644 index 000000000..0f95ac105 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh @@ -0,0 +1,72 @@ +# adjust parameters with your own values as needed +resourceGroupName="rg-on-prem" +resourceGroupLocation="germanywestcentral" +adminUsername="MHAdmin" +adminPassword="REPLACEME" + +# in a sponsored subscription there is a core limit of 10 cores per VM-series per region. Therefore, the script will distribute the VMs to different regions +# assuming you stick to the Standard_D2ads_v5, max 5 VMs per region can be deployed. As each participant should have one windows and one linux machine, +# we are deploying always 2 VMs (1 linux and 1 windows) per user. This means we can fit 2 participants into one region. So make your that you add enough regions +# to the regions array to fit all participants. + +number_of_participants=10 +regions=("germanywestcentral" "northeurope" "swedencentral" "francecentral" "westeurope") +virtualMachineSize="Standard_D2ads_v5" + +# create a resource group +az group create --name $resourceGroupName --location $resourceGroupLocation +number_of_regions=${#regions[@]} +echo "Number of regions: $number_of_regions" +number_of_loops=$((number_of_participants * 2 - 1 )) +echo "Number of loops: $number_of_loops" + +for j in $(eval echo {0..$number_of_loops}) +do + # i++ for every second iteration, so we have win-0 and lnx-0 in the same region + i=$(($j / 2)) + region_index=$((i % number_of_regions)) + location=${regions[($i % $number_of_regions)]} + + # every loop we switch between creating a linux and a windows VM + if (( $j % 2 == 0 )); then + type="lnx" + else + type="win" + fi + + vmName="vm-$type-mh$i" + echo "Creating VM $vmName in $location" + + networkInterfaceName="$vmName-nic" + publicIpAddressName="$vmName-pip" + networkSecurityGroupName="$vmName-nsg" + virtualNetworkName="$vmName-vnet" + virtualMachineComputerName=$vmName + deploymentName="$vmName-Deploy" + + # Create a VM + az deployment group create \ + --resource-group $resourceGroupName \ + --name $deploymentName \ + --template-file ./template-$type.json \ + --parameters @parameters-$type.json \ + --parameters virtualMachineName=$vmName \ + adminUsername=$adminUsername \ + adminPassword=$adminPassword \ + networkInterfaceName=$networkInterfaceName \ + publicIpAddressName=$publicIpAddressName \ + networkSecurityGroupName=$networkSecurityGroupName \ + virtualNetworkName=$virtualNetworkName \ + virtualMachineComputerName=$virtualMachineComputerName \ + virtualMachineRG=$resourceGroupName \ + virtualMachineSize=$virtualMachineSize \ + location=$location + + # Run the reconfig script to disable the Azure Guest Agent + if [ $type == "win" ]; then + az vm run-command create --name reconfigWin$i --vm-name $vmName -g $resourceGroupName --location $location --script @reconfig-win.ps1 --async-execution + else + az vm run-command invoke -g $resourceGroupName -n $vmName --command-id RunShellScript --scripts @reconfig-ubuntu.sh --no-wait + fi + +done \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-lnx.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-lnx.json new file mode 100644 index 000000000..c8b8e69b7 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-lnx.json @@ -0,0 +1,95 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "value": "francecentral" + }, + "networkInterfaceName": { + "value": "asdadasd1" + }, + "networkSecurityGroupName": { + "value": "asdadasd-nsg" + }, + "networkSecurityGroupRules": { + "value": [ + { + "name": "SSH", + "properties": { + "priority": 300, + "protocol": "TCP", + "access": "Allow", + "direction": "Inbound", + "sourceAddressPrefix": "*", + "sourcePortRange": "*", + "destinationAddressPrefix": "*", + "destinationPortRange": "22" + } + } + ] + }, + "subnetName": { + "value": "default" + }, + "virtualNetworkName": { + "value": "gxgggssg" + }, + "addressPrefixes": { + "value": [ + "10.1.0.0/16" + ] + }, + "subnets": { + "value": [ + { + "name": "default", + "properties": { + "addressPrefix": "10.1.0.0/24" + } + } + ] + }, + "publicIpAddressName": { + "value": "asdadasd-ip" + }, + "publicIpAddressType": { + "value": "Static" + }, + "publicIpAddressSku": { + "value": "Standard" + }, + "pipDeleteOption": { + "value": "Delete" + }, + "virtualMachineName": { + "value": "asdadasd" + }, + "virtualMachineComputerName": { + "value": "asdadasd" + }, + "virtualMachineRG": { + "value": "rg-onpremvms" + }, + "osDiskType": { + "value": "StandardSSD_LRS" + }, + "osDiskDeleteOption": { + "value": "Delete" + }, + "virtualMachineSize": { + "value": "Standard_D2s_v3" + }, + "nicDeleteOption": { + "value": "Delete" + }, + "hibernationEnabled": { + "value": false + }, + "adminUsername": { + "value": "mhadminyes" + }, + "adminPassword": { + "value": null + } + } +} \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-win.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-win.json new file mode 100644 index 000000000..396bb9fcd --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/parameters-win.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "value": "westeurope" + }, + "networkInterfaceName": { + "value": "testname558" + }, + "networkSecurityGroupName": { + "value": "testname-nsg" + }, + "networkSecurityGroupRules": { + "value": [ + { + "name": "RDP", + "properties": { + "priority": 300, + "protocol": "TCP", + "access": "Allow", + "direction": "Inbound", + "sourceAddressPrefix": "*", + "sourcePortRange": "*", + "destinationAddressPrefix": "*", + "destinationPortRange": "3389" + } + } + ] + }, + "subnetName": { + "value": "default" + }, + "virtualNetworkName": { + "value": "testname-vnet" + }, + "addressPrefixes": { + "value": [ + "10.0.0.0/16" + ] + }, + "subnets": { + "value": [ + { + "name": "default", + "properties": { + "addressPrefix": "10.0.0.0/24" + } + } + ] + }, + "publicIpAddressName": { + "value": "testname-ip" + }, + "publicIpAddressType": { + "value": "Static" + }, + "publicIpAddressSku": { + "value": "Standard" + }, + "pipDeleteOption": { + "value": "Delete" + }, + "virtualMachineName": { + "value": "testname" + }, + "virtualMachineComputerName": { + "value": "testname" + }, + "virtualMachineRG": { + "value": "test" + }, + "osDiskType": { + "value": "StandardSSD_LRS" + }, + "osDiskDeleteOption": { + "value": "Delete" + }, + "virtualMachineSize": { + "value": "Standard_D2ads_v5" + }, + "nicDeleteOption": { + "value": "Delete" + }, + "hibernationEnabled": { + "value": false + }, + "adminUsername": { + "value": "asdasdasdas" + }, + "adminPassword": { + "value": null + }, + "patchMode": { + "value": "AutomaticByOS" + }, + "enableHotpatching": { + "value": false + } + } +} \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-ubuntu.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-ubuntu.sh new file mode 100644 index 000000000..2c3ee807b --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-ubuntu.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +CURRENT_HOSTNAME=$(hostname) +sudo service walinuxagent stop +sudo waagent -deprovision -force +sudo rm -rf /var/lib/waagent +sudo hostnamectl set-hostname $CURRENT_HOSTNAME + +sudo ufw --force enable +sudo ufw deny out from any to 169.254.169.254 +sudo ufw default allow incoming \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-win.ps1 b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-win.ps1 new file mode 100644 index 000000000..9a3944af2 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/reconfig-win.ps1 @@ -0,0 +1,10 @@ + +# set the environment variable to override the ARC on an Azure VM installation. +[System.Environment]::SetEnvironmentVariable("MSFT_ARC_TEST",'true', [System.EnvironmentVariableTarget]::Machine) + +# disable the Azure VM guest agent +Set-Service WindowsAzureGuestAgent -StartupType Disabled -Verbose +Stop-Service WindowsAzureGuestAgent -Force -Verbose + +# Block access to the Azure IMDS endpoint +New-NetFirewallRule -Name BlockAzureIMDS -DisplayName "Block access to Azure IMDS" -Enabled True -Profile Any -Direction Outbound -Action Block -RemoteAddress 169.254.169.254 \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-lnx.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-lnx.json new file mode 100644 index 000000000..022e1a96f --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-lnx.json @@ -0,0 +1,204 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName": { + "type": "string" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineComputerName": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "hibernationEnabled": { + "type": "bool" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + } + }, + { + "name": "[parameters('virtualMachineName')]", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "additionalCapabilities": { + "hibernationEnabled": false + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "linuxConfiguration": { + "patchSettings": { + "patchMode": "ImageDefault" + } + } + } + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-win.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-win.json new file mode 100644 index 000000000..0fe977406 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/template-win.json @@ -0,0 +1,214 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName": { + "type": "string" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineComputerName": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "hibernationEnabled": { + "type": "bool" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "patchMode": { + "type": "string" + }, + "enableHotpatching": { + "type": "bool" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + } + }, + { + "name": "[parameters('virtualMachineName')]", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2019-datacenter-gensecond", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "additionalCapabilities": { + "hibernationEnabled": false + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "windowsConfiguration": { + "enableAutomaticUpdates": true, + "provisionVmAgent": true, + "patchSettings": { + "enableHotpatching": "[parameters('enableHotpatching')]", + "patchMode": "[parameters('patchMode')]" + } + } + }, + "licenseType": "Windows_Server" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md index 60eaabf46..cb7ef824f 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md @@ -14,6 +14,8 @@ Sign in to the [Azure Portal](https://portal.azure.com/). * [Create Resource Group](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups) +*Please note: At the time of writing this solution, not all Azure Arc features are fully supported in all regions. We tested this solution in region West Europe.* + ### Task 2: Create Service Principal * [Create Service Principal](https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/2.3_Create_Data_Collection_Rule_Basics.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/2.3_Create_Data_Collection_Rule_Basics.png index 662309f65..14fd39b45 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/2.3_Create_Data_Collection_Rule_Basics.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/2.3_Create_Data_Collection_Rule_Basics.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png index b02181fb5..96bf54b92 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png index 670e0e738..31ff17c66 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png index 0120f837f..7b879493e 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png new file mode 100644 index 000000000..64a809968 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png index 1c38797de..0ecb92e13 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md index 33c8e8f2f..711d1cf4a 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md @@ -9,7 +9,7 @@ Duration: 30 minutes Please ensure that you successfully passed [challenge 1](../../Readme.md#challenge-1) before continuing with this challenge. -### Task 1: Create necessary Azure resources +### Task 1: Create all necessary Azure Resources (Log Analytics workspace) 1. Sign in to the [Azure Portal](https://portal.azure.com/). @@ -17,8 +17,10 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen ![image](./img/5_CreateLAW.jpg) +***Please note**: For convenience, in this MicroHack create the Log Analytics workspace in the same resource group as you are using for your arc-enabled servers. Reason: The service pricinipal (used for remediation tasks) of the policy will be given the necessary RBAC roles on the scope where the policy is assigned. In this MicroHack we assume that every participant will assign the policy on resource group level. Hence, if the LAW is outside of that scope, you would need to assign the required permissions manually on the LAW.* -### Task 2: Configure Log Analytics + +### Task 2: Configure Data Collection Rules in Log Analytics to collect Windows event logs and Linux syslog 1. Navigate to the Log Analytics Workspace and open *Agents* in the left navigation pane. @@ -30,9 +32,9 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen ![image](./img/2.3_Create_Data_Collection_Rule_Basics.png) -4. Click on *Next: Collect and deliver* as we going to set the scope of resources later on via Azure Policy. Select *Windows Event Logs* and check the boxes of the log levels you like to collect. +4. Click on *Collect and deliver* as we going to set the scope of resources later on via Azure Policy. Click *Add data source*. For *Data source type* select *Windows Event Logs* and check the boxes of the log levels you would like to collect. -5. Continue on the second ribbon and configure the Destination for the Logs. +5. Click *Next: Destination* and *Add destination*. As *Destination type* select *Azure Monitor Logs* and in *Account or namespace* pick the Log Analytics workspace your created earlier. Click *Add data source*. ![image](./img/2.5_Create_Data_Collection_Rule_Destination.png) @@ -41,7 +43,7 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen 7. Create the Data Collection Rule. -### Task 3: Assign Azure Policy Initiative to your Azure Arc resource group +### Task 3: Enable Azure Monitor for Azure Arc enabled Servers with Azure Policy initiative 1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. @@ -52,13 +54,14 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen - Scope: Please select the resource group called *mh-arc-servers-rg* - Basics: Please search for *Enable Azure Monitor for Hybrid VMs with AMA* and select the initiative. - Parameters: Please insert the Resource ID of the Data Collection Rule from Task 2. -- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. +- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. Don't check the box for "Create a remediation task" here, as it would only create a remediation task for the first policy within the policy initiative. We will do this in one of the next steps for all policies. +- Click *Review + create* and then *Create* -4. Please wait a few seconds until the creation of the assignment is complete. You should see that the initiative is assigned. Every new Azure Arc Server will now automatically install the necessary agents. Be aware that Agent installation can take up to 60 Minutes. +4. Please wait around 30 seconds until the creation of the assignment is complete. You should see that the initiative is assigned. Every new Azure Arc server will now automatically install the AMA and Dependency agents as well the necessary association with the data collection rule we created in task 2. Be aware that agent installation can take up to 60 Minutes. ![image](./img/3.4_Assign_Policy_Monitor_AMA.png) -5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task to apply the policy to your Azure Arc Servers. Please select the Policy Assignment and select *Create Remediation Task*. +5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task for each policy in the initiative to apply the policy to your existing Azure Arc Servers. Please select the Policy Assignment and select *Create Remediation Task*. ![image](./img/3.5_Assign_Policy_Monitor_AMA_remidiate.png) @@ -66,16 +69,17 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen - AzureMonitorAgent_Windows_HybridVM_Deploy - AzureMonitorAgent_Linux_HybridVM_Deploy - DependencyAgentExtension_AMA_Windows_HybridVM_Deploy - - DependencyAgentExtension_Linux_HybridVM_Deploy - - VMInsightsDCR_DCRA_HybridVM_Deploy + - DependencyAgentExtension_AMA_Linux_HybridVM_Deploy + - DataCollectionRuleAssociation_Windows + - DataCollectionRuleAssociation_Linux ![image](./img/3.6_Assign_Policy_Monitor_AMA_remidiate.png) -7. Verify that all remediation were successful. +7. In Policy > Remediation > Remediation Task, verify that all remediation completed successfully: ![image](./img/3.7_Assign_Policy_Monitor_AMA_remidiate.png) -### Task 4: Enable Update Management for Azure Arc enabled Servers via Azure Policy +### Task 4: Enable and configure Update Management 1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. @@ -84,25 +88,26 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen 3. In this section you can now configure the assignment with the following settings and create the assignment: - Scope: Please select the resource group called *mh-arc-servers-rg* -- Basics: Please search for *Configure periodic checking for missing system updates on azure Arc-enabled servers* and select the policy. -- Parameters: Skip, and keep defaults. +- Basics: Please search for *Configure periodic checking for missing system updates on azure Arc-enabled servers* and select the policy. As *Assignment name* append *(Windows)* +- Parameters: Skip, and keep defaults (which targeting Windows guest OS.) - Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. +- Click *Review + create* and then *Create* 4. Please wait a few seconds until the creation of the assignment is complete. You should see that the policy is assigned. -5. Repeat Step 3 and 4 for the Policy definition *Configure periodic checking for missing system updates on azure Arc-enabled servers*, this time unselecting the Checkbox at Parameters, shifting OS Type to Linux. +5. Repeat step 3 and 4 for the policy definition *Configure periodic checking for missing system updates on azure Arc-enabled servers*, apply the same configuration as in step 3 but this time unselect the checkbox at *Only show parameters that need input or review*, and change OS Type to *Linux*. Also append *(Linux)* in the *Assignment name* field. -6. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task to apply the policy to your Azure Arc Servers. Please select the Policy Assignment and select *Create Remediation Task*. +6. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task to trigger the DeployIfNotExists effect of the policy to your Azure Arc Servers. Please select the policy assignment and select *Create Remediation Task*. 7. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: - - Configure periodic checking for missing system updates on azure Arc-enabled servers_1 - - Configure periodic checking for missing system updates on azure Arc-enabled servers_2 + - Configure periodic checking for missing system updates on azure Arc-enabled servers (Windows) + - Configure periodic checking for missing system updates on azure Arc-enabled servers (Linux) 8. Verify that all remediation were successful. -9. Navigate to Azure Arc, select Servers, followed by selecting your Windows or Linux Server. +9. Navigate to Azure Arc, select Servers, repeat step 10 for your your Windows and Linux Server. -10. Select Updates and click on One-time Update or create a Scheduled Update, if you like to postpone the installation to a later point in time. (follow the wizzard). +10. Select Updates. If there are no update information dispayed yet, click *Check for updates* and wait until missing updates appear. Then click on *One-time update* or *Schedule updates* if you would like to postpone the installation to a later point in time. (follow the wizzard). ![image](./img/4.10_Update_Management.png) @@ -110,35 +115,74 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen ![image](./img/4.11_Update_Management.png) -### Task 5: Enable Inventory and Change Tracking for Azure Arc enabled Servers +### Task 5: Enable Change Tracking and Inventory + +In order to use the built-in policy initiative to enable *Change Tracking and Inventory* feature, we first need to create a special data collection rule. At the time of authoring this solution walkthrough, this is not possible using the Azure portal. But you can use the ARM template here: [/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json](../../resources/ChangeTracking/template-DCR-ChangeTracking.json) to create this data collection rule. + +In the custom ARM template, provide the following parameters: +| *Parameter* | *Value* | +|---------------------------------------|---------------------------| +| Resource group | mh-arc-servers-rg | +| Data Collection Rule | leave the Default | +| Log Analytics_workspace_ResourceId |
i.e. /subscriptions/<*your-subscription-guid*>/resourcegroups/mh-arc-servers-rg/providers/microsoft.operationalinsights/workspaces/mh-arc-la| + +In your command shell, navigate to the folder where the template is located and execute the following command: + +``` + az deployment group create -g 'mh-arc-servers-rg' --template-file template-DCR-ChangeTracking.json --parameters workspaceResourceId='/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/' +``` + +Check whether the change tracking data collection rule as been created successfully and note the resource id (you will need it during the policy initiative assignment). Then create the policy assignment following these steps: 1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. -2. Select *Assignments* in the left navigation pane and go to *Assign Policy* +2. Select *Assignments* in the left navigation pane and click *Assign initiative* 3. In this section you can now configure the assignment with the following settings and create the assignment: - Scope: Please select the resource group called *mh-arc-servers-rg* -- Basics: Please search for *[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory* and select the policy. -- Parameters: Skip, and keep defaults. -- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. +- Basics: Please search for *[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines* and select the initiative. +- Parameters: As *Data Collection Rule Resource Id* provide the resourceId of the data collection rule you just created in the beginning of this task - i.e. */subscriptions/<*your-subscription-guid*>/resourceGroups/mh-arc-servers-rg/providers/Microsoft.Insights/dataCollectionRules/DCR-ChangeTracking*. +- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. You do check the box for "Create a remediation task" at this point in time, as it would only create one of the six required. We will do this in one of the next steps. 4. Please wait a few seconds until the creation of the assignment is complete. You should see that the policy is assigned. -5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task to apply the policy to your Azure Arc Servers. Please select the Policy Assignment and select *Create Remediation Task*. +5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation tasks to apply all policies within the initiative to your Azure Arc Servers. Please select the Initiative Assignment and select *Create Remediation Task* for each policy. + +![image](./img/5.1_remediation_tasks.png) 6. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: - - [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory + - DeployAMALinuxHybridVMWithUAIChangeTrackingAndInventory + - DCRALinuxHybridVMChangeTrackingAndInventory + - DeployChangeTrackingExtensionLinuxHybridVM + - DeployChangeTrackingExtensionWindowsHybridVM + - DeployAMAWindowsHybridVMWithUAIChangeTrackingAndInventory + - DCAWindowsHybridVMChangeTrackingAndInventory -8. Verify that all remediation were successful. +8. Verify that all remediation were successful. This might take multiple minutes (or even hours). 9. Navigate to Azure Arc, select Servers, followed by selecting your Windows Server. Select Inventory. Please be aware that generating the initial inventory takes multiple Minutes/hours. After a while the white page should show values. ![image](./img/5.9_Inventory.png) -### Task 6: Analyze data in VM Insights +### Task 6: Enable VM Insights + +1. Navigate to your Virtual Machines, in section *Monitoring* select *Insights* in the left navigation pane. + +2. In the *Insights* tab, click the *Enable* button. + +3. In the *Monitoring Configuration* form, for *Data collection rule* click the *Create New* link + +4. Fill in the *Create new rule* form +- Data collection rule name: Provide a name (MSVMI for VMInsights will be appended automatically) - i.e. *DCR-MicroHack* +- Enable process and dependencies (Map): Check the box +- Subscription: Keep the default +- Log Analytics workspace: Choose the workspace you created in task 1 +- Click *Create* button. Then click *Configure* button. + +5. For all other VMs you want to enable for VM Insights in that region, repeat step 1 and 2. Then, in the *Monitoring configuration* form, make sure your newly created data collection rule is selected and click configure. -1. Navigate to your Virtual Machines, select VM Insights in the left navigation pane and enable Insights. +6. Wait for the deployment of the data collection rule to finish. This might take several minutes. ### Coffee Break of 10 minutes to let the data flow between your Virtual Machines and Azure