What is Azure Arc-enabled servers?

Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. For the purposes of Azure Arc, these machines hosted outside of Azure are considered hybrid machines. The management of hybrid machines in Azure Arc is designed to be consistent with how you manage native Azure virtual machines, using standard Azure constructs such as Azure Policy and applying tags. (For additional information about hybrid environments, see What is a hybrid cloud?)

When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group.

To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent doesn't replace the Azure Azure Monitor Agent. The Azure Monitor Agent for Windows and Linux is required in order to:

  • Proactively monitor the OS and workloads running on the machine
  • Manage it using Automation runbooks or solutions like Update Management
  • Use other Azure services like Microsoft Defender for Cloud

You can install the Connected Machine agent manually, or on multiple machines at scale, using the deployment method that works best for your scenario.

Note

This service supports Azure Lighthouse, which lets service providers sign in to their own tenant to manage subscriptions and resource groups that customers have delegated.

Note

For additional guidance regarding the different services Azure Arc offers, see Choosing the right Azure Arc service for machines.

Supported cloud operations

When you connect your machine to Azure Arc-enabled servers, you can perform many operational functions, just as you would with native Azure virtual machines. Below are some of the key supported actions for connected machines.

  • Govern:

  • Protect:

    • Protect non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, for vulnerability management, and to proactively monitor for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.
    • Use Microsoft Sentinel to collect security-related events and correlate them with other data sources.
  • Configure:

  • Monitor:

Note

At this time, enabling Azure Automation Update Management directly from an Azure Arc-enabled server is not supported. See Enable Update Management from your Automation account to understand requirements and how to enable Update Management for non-Azure VMs.

Log data collected and stored in a Log Analytics workspace from the hybrid machine contains properties specific to the machine, such as a Resource ID, to support resource-context log access.

Supported regions

For a list of supported regions with Azure Arc-enabled servers, see the Azure products by region page.

In most cases, the location you select when you create the installation script should be the Azure region geographically closest to your machine's location. Data at rest is stored within the Azure geography containing the region you specify, which may also affect your choice of region if you have data residency requirements. If the Azure region your machine connects to has an outage, the connected machine isn't affected, but management operations using Azure may be unable to complete. If there's a regional outage, and if you have multiple locations that support a geographically redundant service, it's best to connect the machines in each location to a different Azure region.

Instance metadata information about the connected machine is collected and stored in the region where the Azure Arc machine resource is configured, including the following:

  • Operating system name and version
  • Computer name
  • Computers fully qualified domain name (FQDN)
  • Connected Machine agent version

For example, if the machine is registered with Azure Arc in the China East 2 region, the metadata is stored in the China region.

Supported environments

Azure Arc-enabled servers support the management of physical servers and virtual machines hosted outside of Azure. For specific details about supported hybrid cloud environments hosting VMs, see Connected Machine agent prerequisites.

Note

Azure Arc-enabled servers is not designed or supported to enable management of virtual machines running in Azure.

Agent status

The status for a connected machine can be viewed in the Azure portal under Azure Arc > Servers.

The Connected Machine agent sends a regular heartbeat message to the service every five minutes. If the service stops receiving these heartbeat messages from a machine, that machine is considered offline, and its status will automatically be changed to Disconnected within 15 to 30 minutes. Upon receiving a subsequent heartbeat message from the Connected Machine agent, its status will automatically be changed back to Connected.

If a machine remains disconnected for 45 days, its status may change to Expired. An expired machine can no longer connect to Azure and requires a server administrator to disconnect and then reconnect it to Azure to continue managing it with Azure Arc. The exact date upon which a machine expires is determined by the expiration date of the managed identity's credential, which is valid up to 90 days and renewed every 45 days.

Service limits

There's no limit to how many Arc-enabled servers and VM extensions you can deploy in a resource group or subscription. The standard 800 resource limit per resource group applies to the Azure Arc Private Link Scope resource type.

To learn more about resource type limits, see the Resource instance limit article.

Data residency

Azure Arc-enabled servers stores customer data. By default, customer data stays within the region the customer deploys the service instance in. For region with data residency requirements, customer data is always kept within the same region.

Next steps