Azure Automanage

Use the Azure Automanage service to create a management baseline for the connected machines, enabling update management and inventory. Or use the services individually.

Introduction

The operational compliance for Azure virtual machines recommends leveraging the services shown below, which historically have all been individually configured.

Azure Automanage

Azure Automanage simplifies management by bringing these various services together under best practice configurations covering both Production and Test/Dev scenarios.

Once your on prem machines are Azure Arc-enabled, you can take advantage of Automanage as you go beyond monitoring, alerting and security. For Azure-Arc VMs it has the benefit of installing the older MMA and Dependency agents. This hack does not use them for logs and metrics (preferring to use the AMA agents), but they are currently used for other functionality such as change and update management.

Please note that this is currently a preview service, and it does not yet cover all of the services in the diagram for Azure Arc VMs, but it is the fastest and simplest way to install the agents and benefit from:

  • configuration management
  • automation accounts
  • update management
  • change tracking and inventory

Pricing

Everything we have done with Azure Arc so far has been free, if you ignore the costs relating to other Azure services such as additional Azure Monitor workspace usage.

Be aware that using Azure Policy guest configuration (including Azure Automation change tracking, inventory, state configuration) has a monthly per server Azure Arc price.

Azure Automanage

Automanage can be enabled through the Automanage - Azure machine best practices resource in the Azure Portal. This quick start will create a managed Log Analytics workspace, Automation account and Recovery Services vault for Automanage.

Enable and configure:

  • Enable Automanage on the 6 Azure Arc-enabled VMs
  • What is the difference between Production and Dev / Test configuration profiles?
  • Which services are not yet available for Azure Arc-enabled servers?
  • Which services can be customised using a custom profile?

It will take up to 30 minutes for the servers to become configured and the associated services to propgate and send data. Once complete then explore one of the Windows Azure Arc-enabled VMs.

  • Which additional Azure Policies have been applied?
  • Which additional extensions have been installed?
  • Explore the Insights in the Monitoring blade
  • Explore the Inventory on the Operations blade

Note, the Log Analytics Workspace, Automation Account and Recovery Vault can be customized when creating a custom profile using ARM templates.

Update Management

Automanage will deploy and Automation Account and connect the Arc-enabled VMs to it.

Use Update Management within the Automation Account created by Automanage to schedule updates for the VMs managed by Automanage.

  • Create and schedule update deployments
    • arc-windows-security-weekly
    • arc-windows-full-monthly
    • arc-linux-security-weekly
    • arc-linux-full-monthly
  • Report update compliance
  • Trigger a one time update deployment and measure its success
  • Write a Log Analytics query (optional) to report on
    • the installed Windows Updates
    • the required Windows Updates

Inventory and Change Tracking

The change tracking is more interesting once the servers have been configured for a longer period of time, but we can force a change through

Use Inventory within the Automation Account created by Automanage to report on changes within the VMs managed by Automanage.

  • Review the Inventory on a Linux VM
  • Install the tree package on one of the Linux VMs
    • For Ubuntu: sudo apt update && sudo apt install tree
  • Review the change tracking
    • Explore the settings
  • Write a Log Analytics query (optional) to report on
    • the Python software versions installed on the Linux Azure Arc-enabled servers

Azure Monitor Workbooks

Azure Monitor workbooks can provide visual dashboards for many aspects of operational management.

The Azure Monitor Community repository has many samples to get you started with basic and advanced workbooks.

  • Create an update assessment Workbook to visualize update compliance and detail missing updates

Success criteria

Screen share with your proctor to show that you achieved:

  1. Successfully onboarded the Azure Arc VMs with Automanage
  2. Deployment schedules are in place for both security and full updates
  3. Report on the current update compliance state for all Azure Arc virtual machines
  4. Show the inventory and update history
    • software and services on Windows
    • Windows Services and Linux Daemons display in the inventory
    • show a change in installed software
  5. Show update compliance with an Azure Monitor Workbook

Resources


Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

 Make a change