 G'day viewers. My name's Oren Thomas and with me is... Hi everyone, I'm Sonja Cuff. I'm a cloud advocate based in Brisbane, Australia and Oren's joining me from a little further south on you, Oren. I am a principal hybrid cloud advocate based in the not so sunny city of Melbourne in Victoria, Australia. Anyway, today we are going to be doing a Learn Live session, Manage Hybrid Workloads with Azure Arc. So, what we want to talk about right from the beginning is that this module and this whole Learn Live Study Hall series is loosely associated with this brand new certification that Microsoft announced, the Windows Server Hybrid Administrator Associate. And this certification is made up of two exams, AZ800, Administrating Windows Server Hybrid Core Infrastructure and AZ801, Configuring Windows Server Hybrid Advanced Services. And what Sonja and I will be talking about today with regards to managing hybrid workloads with Azure Arc is associated with the second functional group of that first AZ800 exam, Manage Windows Server Workloads in a hybrid environment. Sonja, are you thinking about taking this exam or these exams? Look, I think I have to. I'm actually really excited about these. One, because we've got Windows Server content in the exams, which is amazing. But also, I think that often people think that certification is a thing that you just go and do if you're looking for a new job. We have some people who jump on every exam certification as soon as it comes out and they're like collecting them all like Pokemon. A lot of IT pros get really busy doing the work that they're doing day to day and like don't think that they've got time to go and do an exam because they're happy in their role and they're just too busy. So it's really nice to see that this particular topic, if you're managing a hybrid infrastructure environment where you've got servers in the cloud and servers that aren't in the cloud, not only do you get the chance to learn how to operate and manage that to help you with your job on a day to day basis, but it does also form one of the components of the exam. So you're learning for sort of both reasons at the same time, which is great. And one of the things I'd like to remind people about exams and we saw this sort of over the last sort of year or so where a lot of people ended up sort of transitioning out of roles that they've been in. It's very well and good to sort of sit there and say, look, I understand about this topic. I know about this topic and have that on your resume or on your CV. But one of the things that recruiters and as recruitment becomes more automated are looking for is they're looking for some sort of attestation of skills to get you far past that barrier of recruitment. And something like a certification that basically attests to you actually having a set of knowledge. Well, yes, you pass the exam, but really what that's going to do is going to get you a bit further along in the process and actually systematize your learning. Anyway, so what we're interested in today and what the learning objectives are for this particular exam are the following. We're going to start by describing as your arc. Then we're going to explain how to onboard your on-premises window service instances into Azure Arc. So basically, how do you get a server that doesn't know about Azure at all to be visible inside your Azure environment? We're then going to talk about connecting hybrid machines to Azure from the Azure portal. And then once they're connected, we'll talk a little bit about using Azure Arc to manage those devices. So we're connecting them for a reason and there's some functionality that we get that we can use from the cloud to help manage those servers. And then we're going to actually talk about restricting access using role-based access control. Now, the thing about this particular session is that this is a learn live session. And what a learn live session is, is us actually going through a Microsoft learn module. So Sonia, what's the difference between a module and a learning path? That's a really good question. If you haven't touched the Microsoft Learn environment before, basically the structure is a module is a bite-sized topic. It usually teaches you one thing or maybe a couple of things that are related. But by doing a module, you're stepping through different units and the unit is just a page. And then when you complete that module, you'll get a little achievement for having completed that one module. Now, some of our content is just a single module long, but some of our content, we actually put more than one module together. And if it's content that spans across more than one module, that's called a learning path. And so you can do a learning path with different modules in it and get a different achievement. But it just, it's this bite-sized learning, right? So if you don't have time to sit down and watch something that's an hour long, you can just jump in and do modules and learning paths at your own pace and go back and complete them when you've got the time to. You know, we all know what it's like in IT pro life when you're busy trying to learn something. And you get to help this call or the phone rings or whatever you've got an immediate seat. So this is a really great way of just doing some bite-sized training. Drop it if you need to come back and pick it up later. So another way of understanding the way that Microsoft learn works is that many of you will be interacting with Microsoft information resources because you'll have a problem that you need to solve. And you're sitting there tearing out your hair, if you've got it, by basically throwing in a search engine query and then hoping that you get the relevant bit of technical information that tells you how to solve the thing that you need to solve right now because everything's on fire and it's a problem. Watch. That's docs. Now, what we've got with learn is learn is sort of we go and build a narrative around a set of fictional problems or a set of fictional challenges. And we tell you a bit of a story as we're telling you about how these technologies all fit together. So docs is almost like the discreet bit of information. And then learn is about how it all comes together. And then what we're doing here in learn live is we're really just two good mates gabbling on about a particular module and what they think as we work through it. So that you're more introduced to this platform and you sit there and go, oh, actually now I understand how the platform works. I'm going to use it as my own self directed learning rather than sort of learning necessarily for a strict. I need to learn this thing right now because I need to solve this problem that's right in front of me. Yeah, absolutely. And these learn live sessions are absolutely interactive. So if you like the fact that when you used to go into a classroom if you prefer instructor lead training, where you go and sit and someone explains things to you and then you do some exercises that they're there to help. You can ask questions if you're not quite sure what something means or you can start to make those context bridges between what you're learning and what you already know. So how does this apply to my particular environment? This is where learn live is so great because now you get the chance to follow through in the learn module but have us here as your instructors. So if you've got any questions, please join in the chat. We will see them and we will endeavor to ask them. So now is your opportunity to have the best of both worlds and instructor lead training and some learn modules. Okay, so let's get into the module itself. So we start off and we've got a brief introduction of what it's about, which we've already covered. And then we come into a scenario and in the scenario we're talking about Contoso. So here it's giving a whole lot of context about what Contoso does and where they are and so on and so forth. But probably the most important part of this particular area is this here, Sonja. And why is this really important for what we're talking about? This is really the essence of why Azure Arc exists. It's talking about the fact that Contoso will continue to operate an on-premises environment for some time. So they're not looking as the cloud as being the end state. They are not necessarily going to take all of their workloads and migrate them to the cloud and turn off all their on-prem service. And so whether it's a short-term thing or even a long-term thing, we do have customers that have valid reasons to keep workloads on-premises. Now that poses a problem when you're an IT pro because now you've got two different environments to manage. And sure the operating system might just be Windows Server and Windows Server is Windows Server no matter where it is. But if you're putting Windows Server in different environments, you've got virtual servers on hardware inside your own data centers. You may have servers in somebody else's cloud. And you've got servers in Azure as well. You've now got different management tools for those different environments. And when you're managing something like Windows Updates or when you're trying to see if you're compliant with certain security standards, nobody cares where those servers are. They just need to know that your organization is up-to-date and compliant across the entire environment. So this is really where hybrid comes into play. The acknowledgement that a hybrid state for a customer potentially is a long-term thing. And Azure Arc is just one of these little nudges to help you manage those servers no matter where they are. I also just want to call out the fact that even in this scenario, Contoso is a medium-sized financial services company. Azure Arc in this hybrid model works for anybody, whether or not you're the smallest customer who just can't deprecate that other server yet because it's got that line of business application on it that just won't move and be compatible with the latest versions of Windows Server. We know we've got them right through to some of our largest customers. So don't necessarily think that just because Contoso is a medium-sized financial services company, that that's the only kind of customer that would have a hybrid environment. And this Azure Arc stuff works no matter what size customer you are. And to reiterate what Sonia said, look, hybrid is a steady state. And one of the things that we do want to get across to you and one of the things that sort of reiterated through these certifications is this idea that in adopting some cloud technologies, it doesn't mean that you're all the way going all the way to the end and that you end up with everything in the cloud. It's quite possible that you're only going to have a little bit of cloud and the right amount of cloud for hybrid is the right amount of cloud for you. And let no one tell you how much cloud you have to have. You figure out how much cloud your organization needs. Okay, so the way that this is structured is it gives the learning objectives, which Sonia and I already went through. And then we've got a bunch of prerequisites. And these prerequisites are what we might call aspirational, but you don't actually need all of these things to do the learn module. If there's something that you encounter on the way through the module, absolutely. And you don't understand it, go and look it up. But if you see these prerequisites and you don't meet all of them, don't worry too much. And we won't spend too much time because we really should get into the rest of the module. So first part, we're starting here with describing as your arcs. Sonia, would you like to give us a description of what is your arc is? Azure Arc, to me, as I mentioned, is this service that provides the ability for you to manage resources that aren't in Azure from Azure itself and using Azure's management tools. Now, this particular learning module will focus on Windows Server and what we call our Azure Arc for service product. But there are other things like Kubernetes clusters and Azure Data Services as well. So it's all about making sure that we have visibility of those kinds of resources that aren't in our Azure Cloud natively, but we can see them inside Azure. And if we can see them inside Azure, that means that we can use this Azure Fabric Controller and the Azure Resource Manager to be able to analyze the configuration of these systems, see what's happening with them, monitoring them and checking them for policies, those kind of things. So that kind of Fabric Controller, that control plane, is only going to keep on growing in terms of its capability as we build in more tools and systems to help you manage the resources that you've got in the cloud. Now you can bring in those other resources that aren't in the cloud as well and they can benefit from the new advances that are coming out in that area. And that's one of the really important things that Sonia sort of touched on earlier and that we want to sort of reiterate is this idea that you've got your resources wherever they will be in the world. And as we go forward in the future, we've gone from this sort of model where we had everything sort of sitting in the server room. You know, when I started, there was a small room upstairs from the office in which I work, which was an old storeroom that had been converted into a server room. And that's where all of the IT assets for the particular department I worked for live. And what's happened is as time goes on, assets are ending up everywhere. And the more distributed your assets are, the more challenging they are to actually manage. But what as your arc brings to the table is that as your arc allows you to go and connect all of those things into a single management paradigm. Sorry for using the word paradigm. I might even use the word synergy at some point. But absolutely allows you to do all of these things. And where as your arc is at the moment, is it starting to do some of these things? And we're talking about some of the things it starts to do. In terms of, for example, looking at the configuration of the systems that you've connected to it. But you can imagine going forward that when you've got this amazing control plane, you've got this ability to then do all of the things that you need to do wherever those endpoints are anywhere in the world. So there's also another model with cloud that we're not talking about so much in this particular module. But it'll be in other parts of the hybrid study hall, which is the bottom up management. That's where you're using on premise your management plan. And then you're reaching out using things like Windows admin center to go and control again resources running in other locations. So as your arcs capabilities, we've got two things here that we're going to cover specifically in this module. We're going to talk about guest configuration and support for resource conflicts to access log analytics data. Sony, can you help me understand what any of that means? Absolutely. So the interesting thing about it pro life is the evolution of how we do things. And I think when you have a look from the early days of Windows servers till now, the things that we do in terms of updating, monitoring, managing like all of that kind of stuff, we're doing in essence the same things. We just have different tools and we're doing them differently. And Azure Arc is a love to your story about the servers in the data center. It didn't take long before I was managing servers from an RDP session instead of physically going have to stand at the server and log on to it. And now Azure Arc is kind of the next evolution with these cloud management tools of going stop RDPing to your servers because you can do all this stuff at scale through these other tools. Can we bring that slide back up again? As you said, Azure Arc is early days yet and we have some capabilities and we'll explain what those are a little bit. So Azure Policy Guest Configuration. Now, Azure Policy is this thing inside Azure that lets you determine what the rules of engagement are in essence for your organization. What do you want your resources to look like? Are there any restrictions you want to put on people putting resources into the cloud or how those resources are configured? That might be security standards for the cloud. It might be things like the location, the Azure region of where resources can be deployed. And then there's a whole bunch of Azure policies around things like cost management. So from a virtual machine perspective though, and especially for an on-prem VM, which obviously isn't going to incur costs as a virtual machine in Azure because it's running on your own hardware and your own premises. What we're doing is we're looking at the configuration of the operating system of that virtual machine. And so the virtual machine is known as a guest because the piece of hardware that it's sitting on is our host. So our host is running some form of operating system down at the host level. And then a virtual machine sit on top of that and they have their own operating system that is configured. So that's known as the guest operating system. And that's why our Azure Policy Guest Configuration is basically just saying it's Azure policies that relate to the configuration of the operating system inside those guest virtual machines. In reality, when you're on board with Azure Arc, it's not really too different from looking at the configuration of Windows Server inside the Azure VMs. It just happens to be that these VMs aren't inside Azure as we've discussed. Now, the next one, the bit, sorry. Oh, no, I was going to say, and the other part of the reason why you're actually so, why you should be completely obsessed about the configuration of your workloads is that when your workloads drift from that configuration, that's when, you know, stuff might be going wrong. Whereas if it's absolutely lined up and it's all the ducks are in a row and the ducks are marching to the beat, the ducks aren't going to get out of place. So when those ducks start wandering off. And you often don't know that they've wandered off, right? Because every Windows Server you have ever built was built to the documentation. Like someone decided this was your organizational standard and it was either literally written in a Word doc with the screenshots of the settings or it was scripted. So they're all built beautifully. It's what happens when other people come in and time runs and people go and make changes to fix problems and then who knows where the heck your configuration is. So yeah, that's another good really function of Azure Policy Guest Configuration. So the other thing that we mentioned in terms of Azure art capability was resource context access log analytics data, which is a bit of a mouthful. So let me break it down. Log analytics is a space inside Azure that is going to collect data from your on-premises servers about what's going on with that server. And so what we're doing when we're querying stuff quite often is we're querying log analytics and we're getting the data out of that workspace to be able to look at our configuration and our reporting and monitoring. Now, the challenge with that is that if this server was never in the cloud, now you are putting information that is about that server into the cloud. And they can include things like activity logs, those system logs that may reference application names and user names and who knows what inside these logs. And so now we are putting data from on-prem into our cloud environment. And that is one of the things that people are the most nervous about, especially for workloads that they believe need to be on-prem because of compliance and regulation issues around what data came and can't be in the cloud. So we're not putting the entire server in the cloud, you're not sucking up your data directory and putting that in there, but you are feeding information from the logs of these servers into this log analytics workspace in the cloud. Now, if you give all of your cloud admins access to all of the information inside your log analytics workspaces and if there are other services that can access that, that kind of opens up the gates a little bit more into who can see what about the server when they wouldn't necessarily have had access to it when it was on-prem. And so with this context access type of restricted access, we can make sure that the log analytics data is only being accessed by the systems and the services that need to access that particular piece of data. So it's about giving us this more granular level of control about who can access the data that's coming through from these on-prem servers. Okay, so the other thing that's sort of important and one of the other good things about the way that Microsoft LearnWorks is that often you'll see these links into additional reading. So let's say that you've just gone through this and you're sitting there thinking, oh my gosh, I don't understand what this conceptual thing is. I don't understand what is your resource manager is. I'm not sure what is your arc for services. So this will allow you to sort of go out and jump. It's sort of like if you go back to the early days when we were reading just books and we'd have footnotes in books and the footnote would tell you the next book that you need to read and then you need to wander off to the library. Well, here you can just have it in another tab and you can come back to it or you can jump to that other tab, read it and then come back. So let's talk about the process of onboarding Windows Server instances. Now onboarding doesn't mean it's getting onto a boat because that's what I think of when you get on board or onto an airplane or something like that. But when we're talking about onboarding, what we're not talking about is importing, as Sonia said, the whole server locks, stock and barrel into Azure. What we're doing is we're going to connect that resource wherever it is in the world into Azure resource into Azure so that it can be managed and viewed as part of Azure resource manager. So if it's a physical VM running in an on-prem data center, it's registered with Azure resource manager. If it's a VM running in someone else's cloud, it's still registered with Azure resource manager. And you can have a VM that's running in someone else's cloud, but providing all of that telemetry, your ability to view its configuration and do stuff against it, even if you're in Azure. And again, that's one of the things to understand about Microsoft is that we as a company have been talking about servicing a variety of different locations for decades at this point. We haven't approached all of your resources being in our own environment all of the time, which is what a lot of our competitors have done because they've sort of started off from the ground up with the, I'll come and run your workloads with us when you're doing new workloads, whereas we've got an existing customer base, some of whom have got workloads that have been running for decades, and we need to find a way of integrating them. So in terms of deploying Azure Arc to on-premises computers, there's a bunch of things that you need to do, and we're actually going to go through a demonstration of how this works. But it tells us here that before we actually can register a virtual machine or a physical server, we must install as your connected virtual machine agent on the operating system targeted for the ARM-based management. That is that it's not something that's actually built into the operating system. It's not like, you know, you go add, remove programs, click on this feature that you want to install like you're going to install the WinServer on Windows Server. You actually have to go and acquire that. Then you've got this ability to select a method and you'll see all of this when we go through the demonstration. All of this is basically screenshots of different aspects of the demonstration that we're about to go through. And this is, again, one of the cool things about learn is that in learn, we'll often tell you how to do a particular thing. In some times, we'll actually give you a sandbox environment where you can actually do it against a virtual environment. And in others where that's just a little bit complicated, we'll actually give you a narration video demonstration. So in this case, this learn module, if you're taking it on the web, actually has a video narrated by a guy that we know from Switzerland who likes stealing other people's chocolates. And he will actually talk through the process of doing what Sonja and I are going to talk through in a moment. Okay, so Sonja, tell me a little bit about the Azure Arc for Server agent. So as you said, the Azure Arc for Service agent is a little piece of software that we do need to install on these servers. It's the only way of getting them to see Azure through this control plane and the way for Azure to communicate back to them as well. So there's a small piece of software that needs to be installed. If you're getting a little bit confused because on one hand we're talking about installing a piece of software that's an MSI file. And then on the other hand, we were talking about scripting. The way that the script works, and we'll show you how this works, is the script automates some of the installation process with some of the variables that you are going to put in. But it's important to remember that this Azure Arc for Service agent, it's available for both Windows and Linux computers. It doesn't matter if they're on-prem or if they're in another cloud. And this just gives you an idea of the current state of the minimum software versions that that is supported on. So you can run it on Windows Server 2012 R2. I'm very sorry if any of you have got Windows Server 2008 out there. I'm sure that none of you do. So it's not even a consideration that you will have to be at least Windows Server 2012 R2 to run it on Windows. And it does include Windows Server Core, which is great because if you've done anything with Windows Server, you know that Server Core doesn't have the desktop GUI-based components. And there are some things you can't do from Server Core that you can onboard your Windows Server Core VMs into Azure Arc and install this particular agent, this piece of software on them. But it also includes things like Ubuntu, CentOS, Suzeb, Red Hat, and Amazon Linux too as well. So Amazon's particular configured flavor of Linux is supported for onboarding those machines as well. I'm glad you said no one's got Windows Server 2008 R2. I'm sure they don't. Maybe we should ask them in the chat. I think of drink as well because that was going to wind up a lot of them are keyboard. Anyway, tell us in the chat if you're still running 2008. I don't think that we can tell well. If we've been realistic. Anyway, in terms of the permissions you need to do this, there's sort of two things that you need to think about when you're configuring as you are after service. You've got to have first the ability to onboard machines. And that when you're thinking about how you do this, always remember that you want to do things in this most secure way possible. And the way that you do things in the most secure way possible is you implement role based access control and the principle of least privilege and the principle of least privileges. I should only give you the permissions you need, not the permission you might necessarily want. Because in the old days, you either had super permissions or super user permissions or no permissions. And there was no real difference in between. So in this case to onboard the machine, that is connect them into as your arc or to connect them to as your, you need to be a member of the as your connected machine onboarding role. So that's a role that you could assign just to an account for someone who's going to onboard a machine. Because one of the things that you'll see in the demo is that when we run the script to download the agent and connect, we actually have to come into Azure in the browser and be logged in and put a code in. And that code then authorizes that computer be connected to that particular workspace and that particular subscription. So you need the ability to be or need permissions that are a member of that role. Of course, if you're a member of the global admins role, you can do absolutely everything, but you do not want to give, you know, Barbara the help desk person or Barbara the server onboarding person the ability to go and do everything if all Barbara needs to do is go and onboard 10 servers. Then once they're onboarded, you want to be a member of the as your connected machine resource administrator role. If you actually want to view the properties of that machine or modify it or re on board it or delete the machine. So it's not something one is the hey, this is all you do need to do to connect and sort of like with active directory that you only need to be a user in active directory to actually domain join a machine. You don't actually need higher level permission to just join the machine is actually doing anything beyond joining the machine. That's something else. So you'll see us go through a particular process and this that you install the agent in three different ways, double clicking, running the windows installed the package and what you'll see us do in the demo, which is running it from a PowerShell session. And when it's installed, the following evidence exists of the installation having occurred. Now, Sonia, why is it important to actually know what it would look like on the server side once this is installed? I really like how this particular module does actually expand that out. When this agent installs your server is going to look when you look at your server pretty much like it looked before you installed the agent. So it's kind of hard to tell just looking at the server whether it was successful or not. But this actually breaks down and says these are the new folders you'll have. This is the new service that you'll have that should be running. So it's all of these success things that I would go and check to see if this is installed successfully. Now, installing it via the script should give us a success message and we'll show you that in the demo. But if I'm just running the MSI or if I get distracted and I don't see the script finished and the windows closes, these are sort of my evidence that it did install successfully on this computer. So those are the services and the files that you need. Also useful if you do any kind of restriction on your service in terms of what folders and things are allowed to run as well. So it does break down and give you all of those details. It's always important to know what sort of traces something like this leads. Because if you're coming into an environment where someone's already gone and onboarded these systems and then let's say, and we'll talk about this right now, sort of that there is a heartbeat that occurs and that every five minutes, a server will either talk directly to Azure or will talk through your proxy up to Azure. And if it's not talking, it'll be disconnected. So let's say that you come into an environment or you're a consultant, you come into someone else's environment and you're looking at it and you see all of these disconnected servers. Well, there could be a lot of things going on. But one of the things that you might have to do in terms of your detective work is actually go and figure, has this virtual machine been reset back to an original configuration? And that endpoint is no longer there. So you could have a server with that name sitting in your data center. The arc thinks has been connected at some point but it's listed as disconnected. But when you go and look at it, you're going to see program files as your connected machine agent and that directory doesn't exist. Someone deleted the folder. That never happens, does it? Someone deletes an error in the folder because they don't think that it's needed. Or, you know, you could have had a colleague who might have completely bought the server and then redeployed it and then never got around to reconnecting it to your arc. So what we will show you here, and this is just the procedure outlining the steps that we're actually about to go through, is what it looks like to go and connect a virtual machine to as your arc from the portal. So what Sonia and I will do now is we're actually going to walk you through this process. So here we are in use your portal and we're doing this through the magic of television because with any operations demo, things can take a while to actually cook. So we're sort of doing like a cooking show approach where we've prepared it earlier. Anyway, so the first thing we start off with is that we go up to the search bar and we look for as your arc and we click on as your arc. And this brings up the as your arc section of the Azure console. So what we're going to do then is we're going to choose between one of the following options. We're going to choose either manage server, register a cluster, manage clusters or run data services anywhere. Sonia, where do you think we're going to go? Look, we've been talking about Windows Server in this module. So I guess servers. OK, so let's go and click on manage servers. This brings up new machines as your arc part of the portal. Now in this particular demo, and one of the things that we do in a lot of learned stuff is that we really take you in from the beginning. We're not walking you into an environment where 500 things have been registered from the beginning. We're starting off with nothing because we want to show you this process. And of course, when you're coming in with new technologies, always do a pilot, always play around at the shallow end of the swimming pool before going much further into the deep end. So we've got two different ways that we can add our first machine. We've got a big blue button that's got create machines as your arc. And then we've got that plus add button right up the top of the console. So Sonia, what's the difference between these two and which one should I click? Look, I know that Azure's favorite color is blue. I was brought up in tech to not touch big blue buttons because that was literally the IPL, the initial program mode that would reset the mainframe controller and don't touch the blue button. It was a very common phrase inside the banking that I was working in. However, I'm pretty sure that the Azure portal wouldn't put a big blue button there if they didn't want me to tick on it. And this is really just a way of the Azure portal to really highlight and put in your face how you get started, right? So that blue button is going to disappear once we get one server in there. But really, it does exactly the same thing as the plus add. And I want to tell you to press the blue button, but I don't think you're going to. Are you? No, I'm not. I'm going to press the big blue, the big add button. But one of the jokes I like Paul for right tells when it comes down to the name Azure. He says, what does the sky, what color is the sky without clouds in it? So we click add there. And now we've got the option of either adding machines using an interactive script where it will build the script for us. And then we just copy it, paste it into the same or we can add machines at scale. Now, because we're doing this for the first time, we're probably not going to, you know, you let's crawl before we walk and certainly walk before we start to run. So what we'll do is we'll click generate script. But the other thing that you can see here is that there is a learn more bit of the screen that we can click on. And that will actually lead us into the documentation. So one of the other things that Microsoft is trying to do with you as your portal is to make sure it's as documented as possible so that you can click on stuff. And then you can learn more about what's actually happening if you're a bit confused so that it's self documented. It's not that you actually have to understand exactly how to fly the nuclear submarine before you get into it. You can kind of figure it out as you go along. So what we do here is we click generate script. So what it'll do here is it'll give us a wizard or a dialogue box or a page that allows us to answer a set of questions. The first thing is what subscription are we going to use. Then we have to choose a resource group and a region. So Sonia, what should we be thinking about when it comes down to resource group selection and region selection when it comes to your arc and onboarding these machines? Yeah, I'm going to ask you a question, but I'm just going to acknowledge that Eric has asked us a question in the chat about network requirements. Eric, we're going to get to that in a second because in this particular section, we talk about proxy server at the bottom. So we'll talk about that in networking requirements in just a moment. But you mentioned that this particular screen is going to ask us for a subscription and a resource group and a region. And they are very Azure things. So if I'm not moving this entire virtual machine into Azure, why do I need to specify this stuff? A couple of reasons. One being when we are putting these machines into Azure in essence, we are creating a thing inside Azure that represents this virtual machine that we have somewhere else. And because we're creating a thing inside Azure, it needs somewhere to live. It needs a home. And all of our things inside Azure live inside a subscription. And it's a good idea to put them all into resource groups. They've got to live inside a resource group. Now, how you put them into resource groups and which resource groups you put them in is really up to you. When we talk about cloud resources, we talk about putting ones that have got a similar lifespan in terms of ones that you would spin up and decommission around about the same time that are all related into a resource group. So a virtual machine in Azure would have the virtual machine itself, the storage, the networking, all of those different kinds of components inside the one resource group because they are all related to the lifespan of that virtual machine. How you want to put your on-prem service into resource groups is really up to you and how you've got your resource groups configured. Now, we've got this region thing as well. And again, if I'm not running a virtual machine inside an Azure region, what is important to note here? So regions are a really good way of us also being able to lock down security in terms of who can access what information. So you might want to think about that because both at a region level, a resource group level and a subscription level, you can implement this role-based access control to restrict who has access to what. But also, the region is the place where the bulk of the actions and the activities are going to be done. So there's no point in having an on-prem service sitting in Australia if we're going to go and say that its little thing inside Azure, its identity in Azure is going to go sit in the US or Europe. So we may as well make sure that we're picking regions that are physically closest to where these machines actually are. OK, so following Sonya's advice, what we'll go and do is that we will go and select a resource group and we'll go in with Contoso resource group because we're going to put all of our resources there. Now we're going to pretend that we are in America, so I won't do an American accent, but pretend that I did. And obviously this is a Windows related thing, but I just want to show you that you can actually choose Linux when it comes to creating the script because obviously a script running for Linux is going to look a lot different from a script running for Windows. And then we specify our proxy server URL. So if we were actually doing what you should do with all infrastructure servers, which is block them from directly connecting to the internet unless they're servicing a function, and then they should be out on your perimeter network, what we should do is actually route our traffic through a proxy server. So we would enter a proxy server URL because this is a much more simplified process. We're actually not going to do anything related to proxies. The next thing we're going to do. Hey, Aaron, do you want to answer Eric's question about networking requirements then? So if that server isn't behind a proxy server or maybe it's sitting on your corporate firewall and it can access the internet, but you've got a VPN in place, do you know what the on-premises servers need in terms of network connectivity for the Azure Arc agent to work? I'm pretty sure it's port 443, but I think we actually covered that in the next unit of the module. So in terms of Eric's question, I mean, let's face it. Pretty much everything else runs over port 443 at this point. So, you know, it'd be a surprise if it wasn't, but you never know. So we'll actually come back to that. And that information is certainly all present in the module or in the documentation linked from the module, even to the point of specifying what the URL of the endpoint that Azure Arc actually has to communicate with to perform the onboarding process. Now on this page, and I've left it here because I know that you absolutely love tags. Why would we use tags? Look, tags are one of my favorite things because they enable you to add metadata to your systems. So that's a fancy way of saying here is your chance to add information about a system that either doesn't natively exist or would take you a bit of crawling through logs or folders or whatever to try and find the information about that system. So great examples of your tag instruction. Now, if you've already got an Azure environment, you might have a tagging structure set up in terms of the name and the values for these particular tags. Good examples with on-prem service includes who's responsible for them. Now, that might be a person or it might be a department. If the server goes down, who's going to be responsible for fixing it? Which business unit do they service? So if it's a VM that's got a particular line of business application for, say, our HR department, I might want to have a business unit tag and put HR in there as the value. So I know that this VM is servicing this business unit. If I've got any problems with that, if I need to plan an outage for it, I know who is going to be impacted. Also, maybe environment. So is this a production server? Is it a test server? Is it a development server? What kind of server is it? And then because this is not a server in Azure, I might even want a location tag. So where is this server? Is it in this particular AWS instance? Is it in this particular physical location data center in this city? So all of the kind of information that's really helpful when you're looking at things at a glance, but also then you can use tags when you're doing stuff programmatically. So you might want to push an Azure policy only to all of your development servers or only to your on-prem service that are in this particular physical location. So that's where tags really come into play as well. Okay, so we're pretty much happy with that. So what we do is we've got the script here and all we need to do is select it. We then switch over and here we've got a Windows Server 2019 instance. We just paste the script right in and then we hit enter. It goes off. It pulls down the agent. The next thing we do is we run the agent installer itself and we've got that installation log that will, if there's any problems, we can go into the installation log to determine whether or not, you know, where things actually went wrong. And then now that we've got the machine agent installed, we can run the last bit of that script that's actually going to connect this agent to all of the tenants and as your arc. And what it's going to tell us to do is it's going to go, right, you need to go to Microsoft.com slash device login and enter the following code. Now, if you remember, we talked about the permissions that you needed. So what you would do then is you go to your browser and it doesn't need to be on the machine that you connected to it can be on your phone. It could be on your friend's phone. It could be on your mom's phone. It could be on any computer that you want. All you got to do is go in and then go to that URL and type in the code. And when you do that, it's going to say, well, give me an account. And that account needs to have those permissions. So what we do here is I want to show you the login process. That's the URL. So that's the code. And I need to make sure I actually do type that code in properly. I jump over to a browser. I push in the code. And if I'm logged into that browser session with an appropriately credentialed code, it will now come back and say congratulations. You have successfully onboarded this machine towards your arc. I click the magic refresh button and I can see the machine. Once the machine is there, I can click on the machine. And what we can see here is all of the things that we can do with as your arc. Now, going forward, you will see more and more and more and more and more things. In fact, we're going to talk about all of the things that exist in this part of the console when we jump back here into the module. So here is the demo. And here we actually have a question. So let's try and answer that question first. I'll bring it up in PowerPoint. So Sonja, what's the first step in the script performs in the as your arc onboarding process? All right. So I have to use my memory to remember what that script actually is. But when you have all of these knowledge check questions, they're formatted in a certain way. And if you have certainly Microsoft exams before or done any practice tests, this is a good tip and you'll see this coming through in sort of our question format. It's asking what is the first step the script performs. So that is your clue. We're talking about the script we ran and we're talking about the first thing that it does. And if I have a look at the different options here, they all kind of look the same because it's telling me the script is doing something. But I've got A, it's onboarding them. B, it's downloading the agent and C, it's installing the agent. If you think you know what the answer is, pop it in the chat. We'll see how many of you are getting it right. But when I think about the process of doing this, it's going to have to get that software down onto the machine first before it can go in and store it. And we haven't even talked about onboarding it into the Azure portal yet. So I'm going to go with B that it needs to download the agent first. It looks like Sonya is correct. Sonya has now one prize and Sonya has one point and Oren has zero points. Okay, let's talk about using the Azure Arc agent to manage Windows Server instances. There's a bunch of things that you can actually do once you've actually got Azure Arc installed. From the screen, you'll be able to see the overview which will tell you basic information about the VM. The activity log will allow you to view a list of activities that have been performed against the VM. So once it's been onboarded, what activities have occurred against the VM and who did it? So if someone's gone and broken something, you'll find out who went and broke it in the activity log. The access control area allows you to review and manage who actually has permissions to go and do stuff to this connected item. Tags as Sonya went through allows you to see all of the metadata associated with this particular resource. Extensions allows you to add and remove extensions to the VM and we'll go into those a little bit more in a sec. Policies allows you to configure and remove policies and we'll talk about what policies are. But again, in a certain level, they're like, is this machine configured in the way we want it? So that's one version of policy. But if someone also wants to try and do something, there can be a check done against policy to see whether or not that allowed. You've got the update management option. So once you connect the machine into Azure Arc, you've got the ability to actually manage software updates for that virtual machine. Now that's functionality that you can connect separately into Azure in hybrid, but connect into Azure with hybrid. But when you turn on Azure Arc, there's a whole lot of things that will automatically light up rather than you actually having to manually go in and do it yourself. Similarly, change tracking an inventory, change tracking an inventory, something that you can turn on. And that will tell you whether or not someone has actually gone and modified something or added something or the software configuration has changed. Insights allow you to view information about CPU, disks, and the state of the virtual machine. And logs allow you to run queries against logs such as you're basically pulling up your event data into Azure and then you can use all of the workbooks in there that are available within Azure to actually sort of scan those logs for items that might be of interest to you. So Sonja, tell me a bit about managing extensions. Absolutely. So if you've done any Windows Server administration, you might know that when you install Windows Server, there are a few things that will turn on by default. But there are a bunch of services that you can go on and turn on in addition. And you would do that through AdWords programs or you've got your different server roles and the features that you can go and turn on to get the server to perform other tasks that you wanted to do that aren't turned on by default. Virtual machine extensions are kind of like that. So what they do is they enable other capabilities for this virtual machine. And in particular, we've got a couple there that are supported through Azure Art. So we've got custom script extensions. So that means that through our Azure Management tool, we can download a script onto that on Chrome VM and we can run it. So that's our custom script extension. We've got desired state configuration. So PowerShell desired state configuration management here again to make sure that your servers are maintaining the configuration that you want them to keep. We've got the log analytics agent extension and we've got the Microsoft dependency agent. So there are two other agents, including this log analytics agent, to make sure that these servers can talk into our log analytics work spaces. So yeah, that in essence is what an extension is. OK, so we do have a question from Damian, which is does the region need to match where the log analytics tenant is? That's a good question. I don't think it does, but what it will need to do though is you'll need to make sure that it's at least in the same subscription because log analytics can't work across subscriptions. It can work across regions but it can't work across different subscriptions. And generally speaking, it's a good idea to keep most of your stuff in the same data center or the same region. So yes, you can, but no, you shouldn't. Yes, you can. Doesn't mean you should. OK, so let's talk about as your policy. So policy allows you to enforce compliance when provisioning your resources. That is you're trying to do something and policy can stop you. So if you've got people who are getting a bit creative, you can use policy to limit their creativity. You can audit the compliance of an existing as your resource. You can also, in some instances, remediate non-compliance. Now, the degree of remediation depends on, you know, how far the ducks have got out of a row, right? If the ducks only move a certain amount of way out of the row, well, it's easier to make it more compliant. If the ducks not, you know, gone over the hill and far away and mother duck says quack, quack, quack, quack. It doesn't mean compliance. It's going to make the duck come back and that's probably one of the few times anybody's sung on one of these. Anyway, and then auditing the compliance of the operating system, application configuration, and environment. Again, coming back in and looking at whether or not you're actually compliant with the configuration that you should actually have. And increasingly, compliance is important because organizations need to make sure that they're actually meeting their compliance requirements. So this is giving some examples, saying that Contoso could restrict the Azure regions into which resources can be deployed. Now, that's obviously if you're thinking about it very much from deploying VMs in a hybrid environment. But it also might be that you're actually using policy to restrict which regions. So to stop, you know, Dean being creative in which analytics workspace he's gotten, where as your arc is, you might say, Dean, mate, you can do Australia Southeast. And that's it. No more. You're not going to New Zealand. You're not going to Singapore. You're not going to Western Europe. You're stuck here. Okay. So once you install the Asian, it requires outbound to... Hey! ...arc over TCP protocol 443. It really is the absolute everything protocol at this... the everything port at this point. So I did get it right. I did actually remember that it was 443. And it wasn't something like port 1701, which is your enterprise administration port, which is a Star Trek joke for people out there listening to it together. Anyway, so it uses the... you can order your configuration in terms of assigning policies. You assign and as your arc policy in exactly the same manner that you assign a policy to another resource. You go into the portal, you select the server, select assign policy, and then you choose the policy and then whether or not you want to have it in audit mode or enforcement mode. Of course, anybody who's done this more than once knows that you start with audit mode and you see all the things that have gone wrong, and then you try and manually remediate them. And then once you've got it all working, that's when you turn on enforce mode because that way you're not going to break something. What you don't do is you don't suddenly, for example, go and enforce a policy that configures which services can run and then have it turn off all of these services and then find out after you've deployed the policy that those services were actually business critical because, you know, that's not so great. And this will give you a list of... once you've run the policy, it'll tell you whether or not something's compliant or something's not compliant. So you look at it and you go, okay, I understand. And here is some more reading on whether or not policy... how policy works and how you create a policy assignment. And one of the key things here is that this is general advice for Azure, but because you're using the magic of Azure Arc, you can do the stuff that applies to Azure to all of your on-prem resources that you onboard. Okay. The policies that you're using there are those Azure guest configuration policies. So they're the same policies that you're going to use for your VMs, whether your VM is in Azure or your VM isn't in Azure. There's no special policy set for Azure Arc connected service. It's just Azure policy guest configuration that you use for any of your VMs. So the last bit of... the last topic that we want to hit is role-based access control. And all role-based access to control really comes down to is who can do what against this resource that you're coming to connect to as your... Because if you're moving your entire management plane into Azure, you want to be... Well, it doesn't mean that anybody who can log on to Azure can suddenly go and manage everything. You actually want to be really restrictive because you don't want, you know, Pierre from accounting deciding that he's bored. So he's just going to go and shut down some virtual machines. You want to make sure that Pierre has the appropriate permissions so that he doesn't shut down Rick's workloads. So in terms of assigning control, you've got the access mode, and you can do it in the workspace or the context of a specific resource. You can require workspace permissions or you can use workspace permissions. In terms of managing access, all you do is you go to Azure Arc, you select manage service and from the list of managed service, select access control and then you assign a role assignment. So you can view role assignments to check who's got permissions to whatever and then the view to deny assignments. So in this case, Rick might be, well, you know, I don't want Pierre doing anything to my as you are connected resources. So I'm going to specifically deny Pierre access to anything that exists here. You know, and if someone to use a deny assignment on their refrigerator, there wouldn't be missing takes. Just saying. Okay. And again, this role based access control stuff, if you've done anything with virtual machines or any other kind of resource in Azure, it's the same. That same identity and access management plane that you find on any of your other resources. So there's no special source to this because it's an on-prem VM or because it's Azure Arc. It's just all of the RBAC stuff that you're familiar with. What that also means is that it's also going to be inheriting any of the RBAC stuff from the resource group or the subscription level that you've got configured in your subscription to. So it's worth noting that. But that pain also gives you a check access thing where you can put in the name of a person and it will actually go and validate and say, hey, this is what access this person has to this particular resource because it will go and filter through what groups they're in and what other permissions that they're inheriting. So access control, this RBAC stuff is the same and familiar for anything that you do inside Azure. And one of the other things that we want to get across here is that by bringing everything into Azure, wherever your resources are, what we're trying to provide is a level of conceptual consistency to how you perform tasks across all of your resources. Those of us that have been in the game a long time know that each workload as often certainly at the start required its own set of tools and every tool is implemented by people who have a different idea of how to go and do something with that tool. Eventually what we would like is we would like that you understand because you understand how the tool works that you understand what you can do because it's very apparent to you. You're not sort of sitting there like we did in the 91090s where we're looking at a brand new console or it's like learning a new game and you're sort of sitting there going, I have to run the tutorial on this game because I have no idea how to play this game. The idea being that in the long run everything managed through Azure and Azure Arc is going to use exactly the same interface and the same consistent way of thinking about things or consistent way of getting to things that allows you to pretty much figure out how to make it go along without actually having to spin up the tutorial first. Okay, so let's end up the module with our knowledge checks. So, Sonya. Chana in IT support at Contoso has been tasked with running a script on Azure Arc Managed Virtual Machine hosted in an on-prem data center in the London office. Which of the following represents the best solution for this requirement? I hate these questions because I have to try and untangle the English of what's actually going on here. So, let me pull out a couple of clues out of the question. Okay, so this person has been tasked with running a script and they've been tasked with running it on an Azure Arc Managed VM. So, that kind of gives me a clue that this server has already been onboarded. This is not an onboarding question for Azure Arc. We're not talking about the script that we used to download that connected machine agent and get this machine onboarded. It doesn't tell us what kind of a script it is, but because it says that it is already an Azure Arc Managed VM, then they want to run an other script for whatever reason. So, if we have a look at the answers that we've got, as I mentioned, because it says that it's already an Azure Arc Managed VM, I'm assuming that I'm not going to need to onboard it, but if I have a look at all of those questions, sorry, all the answers, they all said that they should first onboard the machine to Azure Arc and then do something else. So, that doesn't kind of help me in terms of weed out which of those answers is correct, because they all say do the onboarding first anyway. So, then we have a look and see what the end then is. And then for A is use policy, the next one is use the custom script extension and then the C is use update management. Now, I get the sense that our viewers listened very closely when I went through that section about extensions, and I didn't talk about the custom script extension very much, but everybody is prompting me to use B. Now, update management are in talked about in terms of managing the Windows server operating system updates. And then Azure policy, we talked about a few things that Azure policy could do, but we definitely didn't mention anything about running scripts as far as Azure policy goes. So, everybody saying B, Oren, I think you need to go with B and see if they were right. Okay, Sonya now has two points and Oren has zero points. I'll give that one to the audience. I think the audience gets that point. So, well done everybody. It's absolutely, it is that custom script extension. Let's you go and download and run custom scripts from the Azure portal without even touching your phone. So, I'm going to ask you this one, Oren, it's your turn to earn a point. Permissions, we spoke about this in terms of the minimum amount of permissions, this least privileged access. The account that you use to do that login and then you pasted your code, one of the minimum permissions that an account needs to onboard an on-premises Windows server computer that Azure Arc. Well, using your methodology of eliminating whatever seems to be actually probably be eliminated. Let's look at answer C. Global administrator role. Well, that's like using a chain sort of cut a cheesecake. So, that's probably not exactly what we should be doing. The next one. Now, one of the things I did say when I was going through this is I said it's good that with Azure for the most part stuff is actually reasonably rationally named. So, it's not like we've got a power users group, like we do in Windows NT that we weren't entirely sure of what to go with. So, we've got two options here. Connected machine resource administrator or connected machine onboarding role. Well, what are we doing? We're onboarding. So, unless we were doing something completely unusual, we were misnaming the role, I say that we go with B and it sounds like if I went and asked the survey said sounds like the survey says B as well. So, the answer is B. Yay. And with that, I get a prize. Not. Anyway, Sonya, what can people do from this point onwards? Yeah. So, if you enjoyed the session, if you'd like to go and do that module and click up your own XP experience points in Microsoft Learn, get the little badge for completing this module. Go to aka.ms forward slash learn live dash 202 1118 or use the QR code that you can see on screen and go and log into Learn. If you don't have to count already, it's easy enough to register one. It's all free. Go and do that module now that we've walked you through it and get the completion for that one. And if you've absolutely enjoyed the witty banter between Sonya and myself right now, guess what we're doing next week? We're going to do implement hybrid identity with Windows Server as a Learn Live module. So, Sonya, if I look forward to sitting down with you next week and going through hybrid identity. I can talk for hours about identity, so I'm really looking forward to that session as well. Okay. Well, thank you very much for your attention and have a wonderful rest of the day. Thanks, everyone.