Skip to main content

Register an existing Windows server to Azure Arc

· 5 min read
Hasan Gural

The following article will explain how to register an existing physical or virtual machine running Windows to Azure Arc Control Plane using a fundamental PowerShell Script.

In order to start registering existing Windows Servers to Azure Arc, we need to install the Azure Connected Machine agent on each machine that you plan to connect using Azure Arc. Before starting this, we should ensure that we have the things below.

  • Microsoft Azure Subscription
  • Azure CLI version 2.15.0 or higher
  • Service Principal on Azure Subscription
  • Registration for Azure Resource Providers ( Microsoft.HybridCompute, Microsoft.GuestConfiguration)
  • Resource Group for where we want our connected resources to show up.
  • Agent network requirements

I assume that you already have Azure Subscription in order to achieve this article steps. If you do not have Azure Subscription, you can easily claim a free subscription on the Microsoft Azure website. If you have sorted out the subscription task, then the next thing should be installing the Azure CLI on your management box. Bear in mind, you can do the following steps in Azure Cloud Shell as well.

Install Azure CLI version 2.15.0 or higher

Use the below command to install Azure CLI on your management machine.

$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

OR another option can be installing Az CLI with Chocolatey Package Manager. Here is the command for developers who fancies using the Chocolatey

choco install azure-cli
info

If you already have Azure CLI in your box, you can confirm version using az –version .

Service Principal on Azure Subscription

You might have an existing Service Principal that has access to your Azure Subscription in your AAD Organization. If you insist on using it in this article, you can skip this step.

az ad sp create-for-rbac --name myAzureArcServicePrincipalName \
                         --role contributor \
                         --scopes /subscriptions/mySubscriptionID \

Once you execute AZ-Cli command above, output should be like this: 

{
"appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"displayName": "myAzureArcServicePrincipalName",
"name": "http://myAzureArcServicePrincipalName",
"password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
info

If you have already decided to use your existing Service Principal for this prerequisite step, please ensure that your Service Principal already has Contributor access on the Azure Subscription.

Registration for Azure Resource Providers

Following Azure CLI commands have to be executed on the Subscription. These providers might take up to 10 minutes to enabled on your subscription.

az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

By executing Azure CLI commands above, you can confirm what the registration status looks like.

az provider show --namespace 'Microsoft.HybridCompute'
az provider show --namespace 'Microsoft.GuestConfiguration'

Creation of Resource Group for Connected Machines

This is a simple task that defines where we want to place connected machines as resource in Azure. You can create a Resource Group using Azure Portal or PowerShell. It is up to you! I will chose UK South as region.

New-AzResourceGroup -Name "rg-arc-servers" -Location "UK South"

Agent network requirements

Azure Arc connected agent communicates outbound securely to Azure Arc over TCP 443 Port. In order to register operating system to Azure Arc Service, virtual machines need to have internet connectivity. You can optionally use Proxy Server as well.

Here is the URL from Microsoft Arc. The table below lists the URLs that must be available in order to install and use the Connected Machine agent.

Agent resourceDescriptionWhen requiredEndpoint used with private link
aka.msUsed to resolve the download script during installationAt installation time, onlyPublic
download.microsoft.comUsed to download the Windows installation packageAt installation time, onlyPublic
packages.microsoft.comUsed to download the Linux installation packageAt installation time, onlyPublic
login.windows.netAzure Active DirectoryAlwaysPublic
login.microsoftonline.comAzure Active DirectoryAlwaysPublic
pas.windows.netAzure Active DirectoryAlwaysPublic
management.azure.comAzure Resource Manager - to create or delete the Arc server resourceWhen connecting or disconnecting a server, onlyPublic
*.his.arc.azure.comMetadata and hybrid identity servicesAlwaysPrivate
*.guestconfiguration.azure.comExtension management and guest configuration servicesAlwaysPrivate
guestnotificationservice.azure.com, *.guestnotificationservice.azure.comNotification service for extension and connectivity scenariosAlwaysPrivate
azgn*.servicebus.windows.netNotification service for extension and connectivity scenariosAlwaysPublic
*.blob.core.windows.netDownload source for Azure Arc-enabled servers extensionsAlways, except when using private endpointsNot used when private link is configured
dc.services.visualstudio.comAgent telemetryOptionalPublic

Deploying Agent of Azure Arc on Windows Servers

First of all, you will need to use script below in order to connect existing Windows Servers to Azure Arc Control Plane. 


# <--- Change the following environment variables according to your Azure service principal name --->

$env:subscriptionId ='<Your Azure subscription ID>'
$env:appId          ='<Your Azure service principal name>'
$env:password       ='<Your Azure service principal password>'
$env:tenantId       ='<Your Azure tenant ID>'
$env:resourceGroup  ='rg-arc-servers'
$env:location       ='UK South'

# Download the package
function download() {$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile AzureConnectedMachineAgent.msi}
download

# Install the package
msiexec /i AzureConnectedMachineAgent.msi /l*v installationlog.txt /qn | Out-String

# Run connect command
 & "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `
 --service-principal-id $env:appId `
 --service-principal-secret $env:password `
 --resource-group $env:resourceGroup `
 --tenant-id $env:tenantId `
 --location $env:location `
 --subscription-id $env:subscriptionId `
 --correlation-id "d009f5dd-dba8-4ac7-bac9-b54ef3a6671a"

danger

You will have to change variables according to your tenant, subscription and service principal information and copy the script to the machine that you want to register to Azure Arc.

Once script execution completed, you will see your Windows server, connected as a new Azure Arc resource inside your resource group.