Chapter 3: Azure Arc for Servers (Windows & Linux)
Why hybrid server management matters
Let’s face it — cloud-only strategies are ideal, but not always realistic.
Enterprise IT environments are messy:
- Legacy Windows servers in colocation data centers
- Linux VMs in AWS, managed by a separate team
- Factory-floor machines running RHEL or Ubuntu with no public cloud access
- Dev/test VMs spun up in a lab with zero governance
These workloads won’t move to Azure overnight — or maybe ever. But the need to govern, secure, and monitor them remains.
Azure Arc for Servers is Microsoft’s solution to this reality — enabling you to bring external infrastructure into Azure’s management plane, without relocating or refactoring.
What is Azure Arc for Servers?
Azure Arc for Servers lets you project non-Azure Windows and Linux machines into Azure so they appear and behave like native Azure VMs. Once connected, they can be:
- Organized via resource groups and tags
- Secured with Azure Policy and Microsoft Defender
- Monitored with Azure Monitor
- Governed with role-based access control (RBAC)
- Automated using scripts, schedules, and Azure Update Manager
This is accomplished through the Connected Machine Agent, which securely links any machine — cloud or on-prem — back to Azure.
Agent Architecture
When you Arc-enable a machine, you install the Connected Machine Agent (azcmagent), which:
- Communicates securely over HTTPS (443) to Azure
- Connects using Azure Active Directory identity
- Registers the machine as a resource in Azure Resource Manager (ARM)
- Supports extensions for monitoring, compliance, and automation
This is a lightweight agent — no need for VPNs or custom infrastructure.
Additional components (optional):
| Extension | Purpose |
|---|---|
| Log Analytics Agent / AMA | Send logs and performance metrics to Azure Monitor |
| Dependency Agent | Maps service dependencies across VMs |
| Guest Configuration | Enforce policy compliance via DSC |
| Microsoft Defender Agent | Security threat detection & EDR |
How Identity Works
Azure Arc-enabled servers are first-class Azure resources, so they use Entra ID identities. This enables secure:
- Authentication to Azure services (e.g., Key Vault, Storage)
- Role assignments through Azure RBAC
- Centralized auditing
You can use:
- System-assigned managed identity (unique per server)
- User-assigned identity (shared across servers)
- Service principal (for custom automation scenarios)
Onboarding Scenarios
You can onboard a single machine manually or thousands at scale using automation.
Manual (Dev/Test)
Use Azure Portal or CLI to generate the onboarding script:
azcmagent connect \
--resource-group ArcServers \
--subscription-id <subID> \
--location "eastus" \
--resource-name web01-prod \
--tenant-id <aad-tenant>
Automated (Enterprise)
Use:
- Group Policy (GPO)
- Ansible/Puppet/Chef
- System Center Configuration Manager (SCCM)
- Terraform or ARM templates
- Custom VM image with the agent pre-installed
Or through vCenter/SCVMM
| Platform | Native Arc Support? | Onboarding Method |
|---|---|---|
| vCenter | ✅ (via Resource Bridge) | Arc Resource Bridge, or PowerCLI scripts |
| SCVMM | ✅ (via Resource Bridge) | SCVMM scripts or policies |
What you can do with Arc-enabled servers
Once onboarded, these servers behave like Azure-native VMs. Key capabilities include:
✅ Inventory & resource group ,anagement
- Organize machines using tags, naming conventions, and management groups
- Easily filter or query across environments using Azure Resource Graph
- Centralized metadata helps track ownership, environment, and lifecycle
✅ Azure policy & guest configuration
- Apply compliance policies across all servers:
- Enforce password complexity
- Ensure antivirus is running
- Detect unauthorized services
- Leverages DSC (Desired State Configuration) under the hood
Policies work in Audit, Deny, or DeployIfNotExists modes — even across Linux and Windows.
✅ Security with Microsoft Defender for Cloud
Arc makes it easy to:
- Monitor system vulnerabilities
- Detect threats (malware, brute-force attacks)
- Receive security recommendations
- Integrate with Microsoft Defender for Endpoint
✔️ Servers receive a Secure Score just like native Azure resources
✔️ Compliant with CIS, NIST, ISO 27001, and more
✅ Logging and monitoring
- Forward logs and metrics to Azure Monitor and Log Analytics
- Create centralized dashboards for hybrid environments
- Set up alerts and workbooks for proactive operations
This enables consistent observability across your on-prem and cloud VMs.
✅ Update management & automation
- Use Azure Automation or Automanage to patch and configure systems
- Schedule maintenance windows
- Apply configuration baselines
- Push scripts or runbooks from a central location
Disconnected mode & failover behavior
If a server becomes disconnected (e.g., network down, proxy issue, powered off):
- Azure marks it as Disconnected in the Portal
- Guest configuration continues locally using cached policy (up to 14 days)
- Monitoring and logging stops until the connection resumes
- Policy and extension changes do not apply during downtime
🛠 You can trigger alerts for disconnected machines using Azure Monitor.
Integration matrix
| Azure Service | Arc Integration Description |
|---|---|
| Azure Monitor | Logs, metrics, alerts |
| Defender for Cloud | Threat detection, recommendations, security score |
| Azure Policy | Guest configuration compliance |
| Azure Automation | Script execution, update management |
| Azure Lighthouse | Cross-tenant delegated Arc resource management |
| Azure Resource Graph | Unified queries across Arc and Azure-native servers |
| Azure Automanage (Preview) | Automated configuration and best practice application |
Summary
Azure Arc for Servers transforms your hybrid VM estate from “invisible” and inconsistent to governable, secure, and observable.
It brings:
- Azure-native features to non-Azure machines
- Centralized governance across clouds and data centers
- Enhanced security and policy enforcement at scale
- Unified tagging, monitoring, and automation
No VPN. No re-platforming. Just Azure management where your workloads already run.
Have questions or improvements about onboarding servers or building a scalable Arc deployment model? Drop them in the comments or connect with me.