 Good morning, everyone. Welcome to another edition of LearnLive. I think it's called the Hybrid Sessions or something like that. I forget. My name is Pierre Roman. I'm a Senior Cloud Advocate at Microsoft, and with me I have Nate. Nate, how are you doing? Hey, Pierre. Great. Excited to be here and excited to be on Learn TV. I think it's our Azure Hybrid Study Hall that we're talking about today. We're going to be going through all of Microsoft Azure's hybrid technologies and solutions like Azure Arc, Azure Stack HCI, and all the segments, and really excited to kick things off. Yes. My role at Microsoft is I'm a Product Marketing Manager for Azure Arc, one of our hybrid technologies. Yes. Today, we are backed by a wonderful team. First of all, we have Laurent who's been our producers, so you can't see him, but hello, Laurent. Our moderator is John Joyner, Senior Director of Technology, Microsoft MVP at Accountability. Thanks, John. If you have any questions, this is the place to ask them. We're going to be talking about Azure Arc, an introduction to Azure Arc in the chat, whether you're on Learn TV, or YouTube, or Twitch, whichever you want. Make sure to put your questions in the chat, and we will try to get to them as they come, or at the end, if we don't have time. But if you want to follow along, so aka.ms-slash-learn-live-2022-04-21a, we have the greatest URLs. But if you go to this URL, you will be able to follow along the Learn module that we're covering today. The Learn module we're covering today, again, is Introduction to Azure Arc Enabled Server. What does that mean? What does it eat in winters, and we're going to try to cover it all. All right, so let's get going. Yeah, let's get started. As Pierre said, we're going to really try to be answering a few questions today. What are the characteristics of Azure Arc Enabled Servers? What are the core capabilities of Azure Arc Enabled Servers? And also, what are some of the management and governance and security things that you can talk about with Azure Arc Enabled Servers? And so, why don't we get kicked off and started here, and I can start us off. So, let's talk about what Azure Arc is and what that really means. So, Azure Arc really promises to bridge the gap between the on-premises and cloud environments. And so, maybe long ago, not too long ago, but you kind of had to make this decision of, are we going to be on-premises or are we going to be in the cloud like Azure? And those two systems maybe don't really talk to each other that much. You might be running your cloud items through the Azure Resource Manager and using great tools like Azure Monitor and security and governance policies. And then for on-premises, maybe you're using System Center or Windows Admin Center or a myriad of other third-party things that you've kind of hodgepodge together to get your policies and your SQL servers and your Windows servers and your Linux servers updated. But Azure Arc now bridges the gap between those two by bringing the cloud technology and that control plane of Azure into your on-premises environment. And specifically for Arc for Server, it does it for your on-premises Windows and Linux servers. And it also does it if those servers are running in other clouds, like perhaps AWS or GCP. So a great kind of hypothetical customer scenario, say you're, we always use the customer Kintoso. So let's say you're a medium-sized financial services company and you've got lots of specific data like customer data, transaction data, financial information, and you have offices all around the world, maybe you're headquartered in the UK and you're operating completely on-premises. And so that compute environment has physical and virtual servers and it's consisting of a mix of Windows servers and Linux distributions. And so with that diversity, you're kind of also a siloed operationally. Maybe you've got a data center team here, a data center team in your other countries where you operate and each of them are kind of running in parallel but there's no central governance or IT policies. And so now that Kintoso team and maybe the developers, maybe that bank has a mobile app and your developers are building applications in the cloud and then kind of throwing them over the window into the IT team and saying, oh, hey, make sure this is like highly available and it stays up and running. So now you've got this central IT team who's been tasked with maintaining all of their on-premises servers, ensuring high availability, ensuring compliance and security. And then you've got all of these developers and this innovation arm of the bank, building applications and cloud native, other systems that you need to manage. And so Azure Arc can come in and say, hey, we can take your things running in Azure, your things running on-prem, bring them all together into one consistent control plane. And Pierre, did I leave anything out there? What do you think is maybe the way that you typically describe Azure Arc? Well, Azure Arc is sometimes misunderstood. Start with, first of all, in 2019, I think it was Jason Zander that stood up at Ignite and said that hybrid is our customer's end state. So we've kind of gone away from the marketing message of everything move, everything to the cloud. Like we realized that hybrid is the end state that the majority of our customers are gonna end up with. So we needed to figure out a way to kind of link those two, as you mentioned. The way I explain Azure Arc, and I always kind of come back to the fact that Azure Arc is more of a facilitator product. It allows your on-premises or any other machines, whether they're on other clouds or physical or virtual on VMware or virtual on IProvis, no matter where they are. It gives them an identity and surface them up in the portal. That's the main thing it does, is it actually identifies and links those machine to the portal so that you can then deploy other services that you may have in Azure, such as Log Analytics and Azure Monitor, Azure Backup, Azure Automation, Update Management, all that good stuff. You can now easily take those services and deploy them and apply them to those machines that have now been identified and linked through Azure Arc. Of course, it does a lot more than just that link. It like enables Kubernetes on servers. It enables a whole bunch of different things, but that's the way I start when I start, when somebody asked it was never been exposed to Azure Arc why, how did it works? Yeah, absolutely. So let's talk about why customers would use Azure Arc. And just as you said, a few years ago during Ignite, we recognize that customer environments and application requirements are evolving. And that doesn't mean that you have to just live in the cloud for regulatory reasons or for data residency or latency reasons, you're gonna wanna keep stuff on premises and you might wanna run stuff at the edge. And so if you look at our customer's environments today, they have hundreds, thousands of applications. They've got virtual machines, databases, containers, Kubernetes, serverless, they've got tons of different languages that they're developing in and they have a really diverse infrastructure. Just as you said, maybe they're managing a data center, maybe they have a hoster, they're maintaining VMware, they're maintaining VMware, maybe they're also using Hyper-V. And to add to this complexity, there's different development tools that your developers are using. And so the key questions we really hear are, how can I govern and secure my resources wherever they are? How can I bring the innovation from the cloud into my existing infrastructure? Infrastructure is expensive. Perhaps you're not ready to phase out of your on-premises investments, but you wanna bring the goodness of the cloud into that infrastructure. And how do you modernize your local data centers with cloud infrastructure and extend compute and AI to the edge? And so for our solution, for that, I think we've long understood that, Microsoft started in the on-premises world, then we have Azure, this great goodness, and now we're bringing a lot of those together. And that's what Azure Arc is. And so- I'm really thrilled mostly about the security and the governance part of Azure Arc, meaning when you have policies, like I know on-prem group policies and all of that, there are ways to manage the compliance of all those machines, but now you can take a compliance policy or initiative or whatever you wanna call it from Azure and then apply it to all your servers. So for example, password complexity, making sure that you have the always up to date based on your compliance or your governance, and all that is surfaced up and enabled through Azure. So I'm really, really a big fan of that part. Yeah, absolutely. And that's what we're gonna be focusing on today. This LearnLive Study Hall is gonna be really about Azure Arc-enabled servers. And so we're gonna be talking about the security, the governance, the management you get for your on-premises and multi-cloud servers. And certainly in the other LearnLive, we're gonna talk about things like Azure Stack HCI or Azure Arc-enabled Kubernetes and DevTools and modern apps. So make sure you tune into those. But really, if you think about with Azure Arc, just as we said, it's this bridge between Azure and your other environments, your on-prem, multi-cloud and edge environments where we can bring our app data and AI services to you so you can truly build and innovate anywhere. And that aligns with Microsoft's mission. We wanna empower you to empower your organization wherever you are. And so that's why we're really confident that Azure Arc is gonna be for you. And I think the most important thing is that it's a single set of skills and processes. So perhaps back in the day where you have these handmade dashboards and you're trying to align a policy built for on-prem that you're trying to put into the cloud or you're trying to ensure that your security settings work in all these different applications where each one's a little different, you can now have one control plane. And that is Azure. And that's no longer limited to Azure public cloud. It can be brought to wherever you're running your services. Yeah, I'm really, when you really think about it for an IT pros perspective or an operations perspective, it was a time where you had stuff in one cloud and some in Azure and some on-prem and some at a hoster. So you ended up with having to manage like four different set of tools in order to have like management of your machine. So the one tool may be doing things a little different. So you didn't have a unified way of doing this. And this what is being addressed. And when we look at, if we can switch to my slides Lauren, and if we look at the characteristics of an Azure or Arc enabled server is really like we just mentioned in the intro is to bring all those capabilities to your machines wherever they may be. So it's the reach play where you can from your management portal whether you're using PowerShell, Azure CLI, REST APIs or others, you'll be able to reach all of those machines regardless where they are. So whether it's Windows, Linux, VM, bare metals and you can do this at scale, obviously. A consistent way of configuring your extension. When we first started with the on-prem and hybrid, yeah, you could collect the logs from an on-prem machine to Azure. But it wasn't easy. You needed to figure out the right agent and how do you install it and how do you configure it so that it sends the right information to the right log analytics workspace so that it can be ingested and then analyzed and then you can get value from that information. With Azure Arc, one of the characteristics it takes care of that for you. So when you say enable patch management, for example Azure Arc will then figure out the proper agent to put it on. It'll drop it to its own agent that's sitting on that machine and install it properly and configure it properly to allow for that centralized management without having to decide on every machine, oh, do I need this agent or do I need this agent? Especially if you're in a mixed environment with multiple versions of Linux, multiple versions of Windows, that configuration is taking care of for you. We mentioned the governance part. So built-in Azure policies or custom policies, you decide. There are a number of built-in ones but if you wanna build your own, you can and then apply them to your entire data center. And when I say data center, I mean like your entire environment, whether it's the on-cloud part or whether it's the on-prem part, it applies to all equally. And of course, because of our focus on security, Azure Arc enables through log analytics and through collecting data from your machines applying security. So Azure's Active Directory Management Identity, server security baseline, role-based access control. So you can have a, and this is the fact in a lot of places where you have the team that manages as for a certain set of devices. And then you have other people that need to have access to view what the logs are, what the status is, but you don't want them to actually be able to change anything because change management, you wanna restrict it to a core group that basically can document it and do it properly. So with role-based access control, you can actually give only the access that's needed to the people that are needed. So you have, you can have like your management to be readers so they can see all of the information, but they can't change anything, which in my case, it's always a good thing. You just give the managers enough information, but don't actually let them do anything. Yeah, absolutely. And I see we have a question in the chat here that I wanna make sure we answer of. Although we can manage servers from other cloud providers, can we also integrate Azure DevOps pipelines and those servers using Arc? Yes. So using Arc, I'm not quite sure about pipelines themselves, but you can integrate Azure DevOps practices but you can also use like Azure automation because there is an agent for that where you could actually send commands to that server and then that server will basically pull your content from a GitHub repo or any other installation process. I'm not a DevOps person. We'd have to maybe ask JDestro or April Edwards to like drill into this, but I believe it enables at least a portion of the DevOps practices to your enabled servers. Yeah, I was gonna say right on, if you have a Git repo that you are constantly pushing code to from Visual Studio or something like that and that's a hybrid repo or something like that, it will certainly be able to push those updates to those servers or those Kubernetes clusters where they're running. Yep. Yeah, and so do we wanna, let's see, move on Pierre to talk about, you know, where Arc-enabled servers runs and then we can start getting into our learn module here. Absolutely. So the Arc-enabled server, we mentioned it before, regardless what the machines are and currently what we support of Windows servers, multiple versions, Suicy Linux, Red Hat, Ubuntu and of course, AWS Linux. And all of those OSs will be able to take care or take advantage of the services such as policy, defender, sentinel, monitor, log analytics and so on. So there's a number of services that we can deploy once you've identified and enabled Arc-enabled your servers. And I think it's so great just seeing all these services that you can bring to your on-premises environment. You know, I was talking with a customer who has a data center in their office. They use a third party hoster data center and they have a bunch of Windows Server 2012 R2s, 2016s and 2019s that they actually have running in Azure just as Windows Server VMs. And their director of IT and their networking team was saying, yeah, you know, we used to have to come in on a Saturday night at midnight and between like midnight and four a.m. We would just update all of our servers. And now with Azure Arc, they were able to just completely automate that process. So the same policies that they're writing in Azure for those servers can now be brought exactly into their on-premises environment and it can be done with just a few lines of code truly and setting the right policy and update systems. And that was able to just save them one an immense amount of time and made their IT team way more efficient. And it also kind of takes out that error of, oh, did we really get every server? Do we need to double check it? I mean, if every server is Arc-enabled, it basically saves you that need to start coming in from midnight to four a.m. on a Saturday and manually going through it. So I just thought that was a great example that one of our customers recently told me about. Yeah, it's not like we've never had to wear the pager and answer it at three a.m. on Friday nights or something. Right. I'm actually very happy to see that Azure Auto Manage is also part of that because Auto Manage, you basically like you're ensuring that you're backup, that you're log analytics, like all of that pre-configuration, when you turn on Auto Manage, it actually makes sure that everything is set to your backups, to your protection of those VMs, everything in one step without having to say, without having to say, did I deploy this? Did I enable update management? Did I enable backups of it? It all done. So I'm very happy about to see that that one is now part of the Azure Arc-enabled services. Right. I think it's a great example of how the same innovation that we're driving in public Azure, like Auto Manage for your VMs that sit in Azure, can now be brought into your edge multi-cloud hybrid environments because now you can Auto Manage your Arc-enabled servers and it just continues to make your job more efficient. It saves you a lot of time and things like that. Yeah. Yeah, perfect. Now, if we look at what an Arc-enabled server actually looks like or what it does or how it happens, it relies on the Arc-connected machine agent. So I mentioned that in beginning though, it's almost like the Lord of the Rings like it's the one agent to rule them all where once the Azure Arc-connected machine agent is installed locally, it does establish that logical connection. So it creates a VM ID in Azure makes the link and then starts answering and listening to those prompt from Azure in order to deploy new services or to collect data or to actually act on a command that you've given through Azure Arc. One thing we can do is how about we do a very quick demo of how we enable Arc-enable some servers? Great. All right. So let's start with the Azure Arc server onboarding, a lot of you will. Just as a note, those videos are recorded not because we wanted it's no smoke and mirror is that during the demos at some point, there's a portion of time that has to go on for everything to be done. And we wanted to take that video and cut out those parts where we're just sitting there watching the spinning donuts in the middle of our screen to have to make better use of our time. So if we go with the Azure Arc onboarding, fairly easy one, right now I've got like a demo environment and all I have to do is create a new resource and I'll just say servers and select Azure Arc. Now I can create my Azure Arc environment and at this point, if I pause this, you can see that you can add a single servers that you can add multiple server and when you add multiple server, it generates a script and then the only difference between the first two and the single or multiple is that when you're doing multiple, it's not gonna ask you for the password because you do need to be in administrative access to those machines, so it's not gonna ask you to authenticate and it's not gonna ask you to log in Azure to initiate that connection manually. When you're doing multiple servers, you create a service principle in Azure and then you pass on that service principles ID in secret inside your script. So that service principle only has access to create that link. It doesn't have access to anything else, so it is still secure, but that's the only difference but you could also add in other ways. You have to make sure that you have HTTPS access to that environment, you select which OS you want if you're gonna use a public endpoint or a proxy server and then you add some predefined tags and those tags are important because it allows you to later on organize your machine, so whether they're in resource groups or whether or not you're going to apply rolling updates to specific location and then it just generates a script that you download and install on your machine and once you've got it on your machine, it's just a matter of accessing that machine, running this using a elevated privilege PowerShell. Okay, I was just waiting for this to turn. So I'm on a server in my Hyper-V box under the desk here and I open my PowerShell with admin and I just go to the download directory or folder and then execute the script. Everything else is built into that. It will install all of the dependencies, make sure that everything is set properly and go and download the appropriate agent, meaning earlier when we talked about this, like depending on the version you have and the OS you have, you need a specific agent, it gets all of that. Then at this one, because we did a single server, it wants me to authenticate to Azure. So I will use that link that's there and the authentication code. Go to edge, browse to that location. Once I've got that location, insert the code and then authenticate to that Azure instance or tenant. So I'm using my Hotmail account because this is a demo environment. I've approved it on my phone because MFA, multi-factor authentication, if you haven't set it up, please set it up. Once it's done, you can close that and it'll go and it waits and the script pulls Azure until it sees that it's successfully on-boarded that server and then from there you can actually see all of your servers in Azure once they've been on-boarded. On-boarding is the first part of it. Once it's on-boarded, it does take a little bit of time for it to start reporting its data, reporting its status, reporting up its logs that you have. But right now we have one server that's installed. We also have the same experience with the Linux. So if we can do the Azure Arc on-boarding with the Linux, Laura, and this one is pretty much exactly the same in terms of the beginning of it. So you create things the exact same way. So you look at servers, you select Arc, everything's the same. The only difference is when you pick the OS that you're looking at, you end up having to pick Linux, of course. And then it installs, I'm just gonna fast forward this a little bit as we've seen this. Then on my machine, I'm just SSH into my Linux server that's in my environment as administrator. So this was a brand new machine. I log into it and then I will execute the script. Now that script and then Linux compared to, as opposed to Windows, when you install a separate package, you may have a whole bunch of dependencies. So by running that onboarding script, bash script and authenticating properly, then it goes out and it'll download and install all of the dependencies that are needed. It'll update all the packages that are needed on that server. It'll go through all of that, process the triggers, process the libraries and set it up as its own service. So that runs automatically. And at the end, you end up with the exact same experience in the Azure portal where those machines are now available for you to deploy other services too. I don't think we need to see the rest because it's exactly the same and we'll get back to it in a little bit. So let's go back to the slides. So that's what an ArcDenable server is. It's really just servers that you have, regardless where they are, that have installed the proper agent, connected to the proper subscription tenant with the proper authentication and then it surfaces them up in Azure in your portal. And you can tell that the server is a little different because that server will have a slightly different icon and also it will show you in there that it's a non-Azure machine in the description of that VM. And you can see your ArcDenable servers side by side with your VMs and other servers and your SQL servers all in the Azure portal. And when you add those tags, you can see which ones are running in Ottawa, which ones are running in New York, which ones are running in Los Angeles. And so by tagging your servers and by tagging, perhaps maybe you're running certain VMs in West US in Azure, then you can group them geographically or however you wanna do it. So it makes it really powerful when you can see just all of your resources, regardless of where they are geographically and regardless if they're running in Azure, on-prem in another cloud, they're all right there in the portal. Yeah, and there's a question on YouTube that asks Ratan asks if those demo servers are not hosted on Azure. Actually for this particular demo, those servers are running on Hyper-V in a test box that I actually have under my desk. So I really wanted to simulate what you would have in your own environments where you have servers that are completely disconnected from Azure. So they're sitting in my home, connected to the internet through a residential DSL connection. And so it doesn't really require that much in order to enable a server for Arc. And one other fun way that if you all at home are wanting to get started with Azure Arc and maybe you don't have a server box under your desk, we have this thing called Azure ArcBox. And ArcBox is a virtual machine in Azure but it replicates a VM or a server on-premises. And so it comes with I think like a SQL server, a Windows server, a Ubuntu image and it replicates exactly what it's like to manage your various servers with Azure Arc in that Arc-enabled server environment. But it's just all basically nested virtualization through a VM in Azure. And it's a great way to get started if you want to check it out. Yeah, so ArcBox has basically taken advantage of nested virtualization to create a VM in Azure and on that VM turn on Hyper-V and then run other workloads on top of it, correct? Yeah, that's exactly it. Okay. Yeah, Mr. Maurer has just joined us in the chat and he's like, yeah, here's that Arc is pretty cool. It is, it is really cool. So if we go on to what the connected machine agent is, you can see from this slide and there's lots of information on this slide but the only thing I wanted you to realize or to grasp is the fact that all of that communication is over HTTPS 443. So in a lot of cases when you're in your own environments and you have the security group that locks up those firewalls at the edge of your enterprise, typically to open ports is an understanding of how it's gonna be used, who's going to use it, what's at the other end and so on. And it's typically can get fairly arduous to convince your security group that you need to open a specific port to the internet. By using HTTPS 443, that is by default in majority of environments already open. And there's nothing that gets pushed in. It's always the agent that calls home and requests the data. So the connection is never initiated from Azure. It's always initiated from the agent, which is why when we're deploying and when we're onboarding it, we actually have to run it from the agent and it goes out to Azure, Kinex gets the information. So you can't add a machine from Azure to onboard it unless you've already pre-created that connection. Right. And I think breaking down the connected machine agent for Azure Arc, there's really three core components to it. And if you look at the slide kind of on the left side, you'll see those three buckets of the hybrid instance metadata service that just manages the identity and aligns it with Azure. Then you have the guest configuration agent that provides in-guest policy and guest config functionality, such as like assessing whether the machine complies with your required policies. And last is the extension agent. So that manages the install, uninstall, and upgrade of VM extensions. So things like log analytics and the MMA extension can all be accessed through that. So together those kind of three components constitute the connected machine agent. You can see how they connect to Azure resource manager or log analytics and your active directory and authentication. Yep. Now, if we're looking at connectivity option, when we did the demo, we went really, really quickly through that, but you really have three items or three ways to connect your server to Azure. One is through a public endpoint via direct connection. So that's basically from your machine, it goes straight out to the internet, it connects to an Azure endpoint and Bob's your uncle, you're connected. Now in environments where traffic is a bit more managed or controlled, you can do it via a proxy server. So you identify a proxy server on your environment, in your on-premises, and you connect through that proxy server to Azure, therefore making sure that your security team is still happy because they can still manage and monitor the connections to and from the internet. And currently when preview, we have private endpoints over express route, meaning once that becomes GA and you can start using it now if you're testing it, when that becomes GA provides you a very, very robust and secure way of connecting your servers from wherever they may be to your Azure environment using that encrypted tunnel, that secure tunnel, because an express route is really just kind of like an MPLS segment terminated both at your end in your data center and at our end in our data centers. So it doesn't completely bypasses the public internet making it a lot more secure. And the private endpoint also adds to that. So the supported environment operating system, I just skipped that slide that just said, okay, then we're gonna do the demo, but we were already done that. Right now, servers that are supported are 2008 R2, 2012, 16, 19, 2022, including server core. However, if you're still running 2008 servers and 2022 servers, you really need to start looking at potentially updating those servers. So 2008 is getting out. Yeah, we're coming up with end of support. And so for 2008, I think we're in year two of our extended security updates. And if you migrate those servers to Azure, you can actually get free ESUs on Azure. And for a Windows Server 2012, we are nearing end of support and then the extended security updates I believe started in 2023. Or you can migrate to Windows Server 2022 or upgrade, you know, lots of great functionality. We can get into that, I'm sure later, but. Shameless plug. Exactly. Yeah. And like Nate said, upgrade or moving those servers to Azure gives you those extended security updates. I believe there's also a program that will leverage ARC to facilitate the same thing. I'm not quite sure if that's completely rolled out yet, but keep in mind out for that. Yeah. Okay. Perfect. So other than Windows servers, of course, Ubuntu, CentOS, Susie Linux, Red Hat Enterprise, Amazon Linux, and Oracle Linux 7 are all supported. And that list will be growing as more OS, especially on the Linux side are vetted and put into the list. And I wanna call attention to a question, I think from Ian on YouTube. Can you touch on how Azure ARC is licensed? Is it free? Ian, great question. So the pricing per Azure is Azure ARC to download and install the agent on your servers is completely free. And so if you want to be able to go through that demo that Pierre did earlier, where you abstract your on-premises agent or your multi-cloud agent or VM and put it into the Azure portal so you can see it, that's completely free. Where we start charging for are certain attached services. And so things like Azure policy. If you wanna set policies, it's $6 per server per month. If you wanna use Microsoft Defender for cloud, there's a cost with that. I think kind of depending on the number of gigs you ingest there. And same for using Azure monitor and log analytics, there are costs there, all depending on maybe the per gig ingestion. So for simply getting started with ARC, if you wanna align all of your servers, use things like tags and being able to see them all in your resource groups, that's completely free. And then when you start using kind of those really powerful native Azure services, that's when there's a cost there. Yeah, and the cost would be no different than if you were ingesting that data from an Azure VM. Exactly, right. So there's no, it's not like there's a catch here. But you do, if you're cost conscious, you have to, if you're looking at Azure monitor and you wanna start onboarding all of the logs from all of those machines, because if you've got thousands of machines and you turn on all the logs and all the application logs, system logs, setup logs in your like windows, events, viewer logs, then that will grow. And that can have an impact on how much you pay. So you wanna make sure that you, when you onboard those logs and that information to be ingested by log analytics that you are careful as to what you're selecting and don't just select everything because it's easy. Yeah, yeah, absolutely. Great question though on pricing. Yes, absolutely. I typically try to stay away from licensing or pricing options, because I'm on the tech end of things, not the licensing end of things. All right, so now if we go to the infrastructure of Arc-enabled servers, we can make sure that we can deploy and connect that information that those machines to all of those different services. And so the Azure portal is one, it's the real easy, you can just see your machines in your resource groups, you can assign them, tag them, Nate's already gone through this. I really like the DSC, so desired configuration management, where you say on those groups of servers, for example, IIS must run at all times. So even if somebody turns it off, desired state configuration is gonna turn it back on. Of course, PowerShell, Windows admin server gets to play in there as well. You can use the Azure service principle to onboard those machines and basically give those machines an identity so that they actually have access to do what they need to do. But of course you can deploy that using Terraform Ansible group policies or SCCM if you're still in your environment running those systems. So to deploy I just did with the standard script downloaded and manually ran it, but there is a number of different ways that you can make your life easier by deploying it. Right, if you're one great use case, I think is the Windows admin center side. If you're using Windows admin center for your server administration and you go to that kind of Azure hybrid services bar in there, it's super easy to connect that server that you've maybe already peed into or something to Azure Arc and in WAC it's just really a click of the button or you can do it in all the other ways PR said. So we're trying to make it as easy as possible to connect and Arc enable your servers. Yes, if you're using Windows admin center there are some prerequisite. So your machines have to be connected to your Azure subscription with a service principle that's with the proper missions. But once that's done, you can basically onboard directly from the hybrid center, correct? All right, so we've done the first section of our learn module. Should we jump into our knowledge check? Let's do it. Okay, and I believe Lauren's got a link for a poll that you can actually answer the questions as well. If he finds it, he'll put it at the bottom but let's go to our first question. What is the component that is required in order to establish a logical connection between Azure Arc enabled resources and Azure? What do you think, Nate? I know it's a tough one. So we talked, we do know it is an agent so your on-prem servers can communicate with Azure but I think the question is which one? I think you kind of said it's a, you gave a great Lord of the Rings analogy there. So we'll have to see. I'm curious to know if our audience gets the answer, right? So make sure you vote at aka.ms slash polls. Yeah, I think it'd be more confusing if there was a D option that says all of the above. Yeah, yes, I do see one that's an extension of the primary agent in this list but we'll have to see if people were paying attention. Yeah, the dependency agent is kind of like part of the connected machine agent so making sure. All right, so it was C, hopefully you guys all got it on and the poll is in the chat if you missed that link. Second question, which of the following operating systems are not supported by Azure Arc? What do you think, Nate? Yeah, well, this is another good one. We talked about the different types of servers and I would say probably the most common types of servers you're gonna see in a data center are the ones we support. So maybe there's one on this list that you don't always see in an enterprise data center or something. Yes, well currently we support servers, not workstations. Right. Actually, I've never tried to deploy the agent on the Windows desktop, but currently we support servers which kind of leaves one of those as the outlier here. Right. Let's see which one it is. And that was correct. Yeah. All right. I don't know if Loran can show the results. Maybe not. Maybe not. Yeah, we can move along. So that was our first section of the learning path and now I think we're gonna get into, oh, here we go. There we go. I went to get the land. So 100% of our voters have gotten it right. So I guess we did our job well. There we go. All right. So now what are the core management and governance capabilities of Azure Arc? Right, absolutely. Let's talk through these and Pierre, maybe you wanna go just quickly to the next slide, but some of the things we talked about for Azure Arc are that it not only shows your server in the portal, but it brings these great management capabilities. And so you can organize all of your resources with management groups by subscription, resource groups or tags, and you get a single inventory of all your assets across your multi-cloud and your on-premises estate. And then you can also run reports on these. And so if you're in an IT group and you know that you've got offices and data centers or server boxes all across the world, you can now have one place where you can see all of these. And you get direct access from the Azure portal to most of the management features from these Arc-enabled servers, like role-based access control for viewing logs and server inventory, VM extensions to deploy software agents and run scripts on your server, Azure policy. And I think one of the most important things truly is an Azure Active Directory Assistant assigned managed identity for apps running on the server to use when authenticating to other Azure services. That active directory piece is typically the backbone of all of this infrastructure. And so that being configured in is really important. And... Absolutely. Yeah. Yeah, so those are kind of the main management capabilities. And also we're gonna talk later about the security and governance, but I think for right now, we're just focusing on management. And I think if we head to the next slide, you'll see a great kind of graphic that shows, hey, here are all of the various services that you can get. And we have them across all of your infrastructure, whether it's running in Azure, in other clouds, or on-prem. Then moving forward, let's see. So since the capabilities of Arc reflect the same capabilities of Azure Resource Manager, they're practically one in the same, we can get a consolidated view of our resources through the tools that you're already using. So if you wanna see them in the Azure portal, in the CLI, in PowerShell, or a representational state transfer for your APIs, you can see all of your Azure Arc-enabled servers in the same tools that you're already using. Yeah. I find there's one in the middle there, the support for searching and indexing using Azure Resource Graph. If you're doing any kind of alerting and you wanna make sure that's the, through either logic app or log, Azure Monitor logs alerting, all of those queries will also address those Arc-enabled servers. So it's one more way to make yourself and your team aware of events that are happening. So that's a really big one for me as an operator. I think the biggest advantage I see there is when you are doing your own internal compliance and auditing checks, and depending on your industry, or just your own company policies, pretty regularly, you're gonna have to make sure, hey, let's index and query our own server estate and make sure that everything is up to date. We've got all of the latest policies and things like that installed on those. And if you're doing that, particularly maybe you work in financial services or healthcare, and you've got laws requiring you to do those types of compliance, this makes that so much easier because you all have one place to do that. Yeah, Keith, I don't know if that ever happened to you, Nate, but for somebody who's been in operations and I'm gonna age myself here for almost 30 years, you deploy a number of servers and you're running workloads over top and you've got it in multiple locations for load balancing or whatnot. Right. But there's always that one location or that one set of servers. That's not quite the same as the others. Right. And then you end up with an error or with some issues and you start wondering what the hell is going on, that compliance and that policies that you're just mentioning, the way to inventory and search and index, all of that kind of like pops those out to... Aging myself with the hotmail account. Yes, Amy, I have aged myself with a hotmail account but I've added for so long, I'm not willing to let it go. Well, here's another good example too. Maybe folks earlier in their career can identify with. Let's say you query your server estate to make sure you're compliant and this one server pops up that was made in like 2008. You have no idea what it was. The person who deployed that server no longer works for your company. You ask your manager, hey boss, what is this? Can I turn it off? Should we shut it down? They go, no, no, no, don't touch that. We don't know what it is, but we don't wanna shut it down. We say, okay, well, at least I can write some policies and make sure it fits in our compliance even though we have no clue what it is and we're too afraid to turn it off. That scenario comes up every time we're looking at migrations. Right. And I've developed a very easy process to identify the owners. Yeah. Yeah, you unplug it from the network. Don't shut it down. Right. Just unplug it from the network and wait for somebody to scream. And then you say, ha, ha, that's yours now. There we go, there we go. That's always a fun game. Yeah. All right, let's move on to our demo. Yes, yeah. I think you're gonna pull up how we can use tags, inventory, access and extensions for our enabled servers. Now that we've already in our first demo, we put the server into the portal. Well, let's see if we can use those great management capabilities. Yeah, so Laura, the management demo, there we go. So when we're looking at our environment, so now I've got my demo environment, I've got a resource group here called demo one. And in it, I've got a whole bunch of different machines. This is basically my Hodge Podge demo environment that I run on the internet. It's got a whole bunch of different virtual machines. But now if I really want to just section it and making sure that I can see just the Arc server and the other VMs, I can see that I have three there for VMs and then two Arc servers. Or basically just servers that are Arc-denable. If I click on one of them, I see all of the capabilities that I can do with it. But the tags is what I wanna show in this one. By clicking on the Ottawa, because that's where my office is, I see all of them. If I see country Canada and I had a whole bunch of, it's one more way that you can group and manage your environment. And also the access. Right now I'm the owner and because I own this description, so that's good. But as I mentioned earlier, I wanna make sure that my boss, Rick, who may or may not be online right now, has access to view everything, but I don't want him to actually be able to touch anything because he's notorious for breaking things. So I add him as a reader to my environment. Of course, if you're setting up everything like that in production, always put a description so that you know what it is for and the next time you look at it. And then you add the role assignments. And now if you were looking at role assignments, we'll see that is actually been applied. So Rick would have access to view everything, but he's also the owner of the subscription too, because he pays for it. But just for the sake of demo, he is now a reader in our environments. You can see all of the documents, all of the logs and everything for that machine, but just can't change anything to it, can't change any configuration whatsoever. We also have extensions, because now we've installed the management extension or the original instruction for Arc, but through it, I can now install other extensions. So for example, the log analytics extension where I will just set, okay, so install that agent, connect it to this workplace ID and I will give it a key. And even if you guys cut and copy that extension, it no longer exists after I recorded this. So security is taken care of. It deploys, it takes a while. So I've sped up this video so that we can get to the end because sometimes it actually sends that, it waits for the agent to pull up, grabs that task, which has deployed this agent with these configuration downloads it, executes it and then reports back. And in this case, it's just done that so I can go to the agent and I can see now I have log analytics connections to that servers where I could configure what logs I'm gonna get and where I'm gonna get all of that information and so on, but that will take a while for that information to actually go up. If I go back to my extension, I can now see that the MS monitor agent has been installed. And of course, log analytics, once you've got it, you've got access to Custo queries against all that information. And there's a bunch of predefined queries that you can log on. So Lauren, can we go back to... So that was it. It was a very quick demo, rapid-paced where easily organize your machines into resource groups. And resource groups are nothing but a logical collection of resources that share the same life cycle. So for example, if you've got an application that has a front-end middleware and back-end and you're connected to and it has other management parts that are connected with it, you could put them all into one resource group so that you know that that resource group is all connected together. Right, and I wanna get to one of the questions that was in the chat here that came up. So the question was, laws in different countries, especially for financial apps, insist on local cloud providers. So installing the Arc agent on the on-prem servers for managing it will not cause any privacy issues. And I don't wanna commit to knowing the unique law of every single country. However, I will say that financial services is one of the biggest reasons to use Azure Arc if you're dealing with local residency or regulations because the data that you're keeping on-prem for your customers, your financial information doesn't get sent up to Azure, it lives on-premises. But you're able to get the Azure management and governance and security capabilities brought down to that on-premises server via the Azure Arc connected agent. One kind of great customer example I can think of that's on our website. You should go watch the video or maybe Laurent can post it in the chat is the Royal Bank of Canada. I think they're one of the largest banks in Canada and they use Azure Arc for their entire on-premises estate to maintain compliance and ensure that they get the best of Azure and things like Azure Monitor and they can group all of their VMs and servers wherever they are, but they keep all of that data on-premises in their own data centers because they wanna protect that. Yeah, and the Bank of Canada is like the Federal Reserve in the US. So it's the central bank and it's tied, it's arms length to the actual government, but it is considered government and government of Canada as a compliance regulation that says that government data must reside within the Canadian border. Right. So it applies to that. Yeah, absolutely. So these are some of the Azure VM extensions that I think we just talked through, but things like Azure Key Vault synchronizes certificates from an Azure Key Vault instance to the Azure Arc-enabled server. That's a great one. You can get Microsoft Defenders for servers for assessments and vulnerability scanning. And I think we wanna keep moving through to make sure we have time to get to our last few demos. So I'll kind of churn through these slides, but one of the big ones for the management and governance is Azure Policy. So Azure Policy, if you've got stuff running in Azure, you've probably used Azure Policy and it's a service that manages and evaluates the compliance of their servers running in Azure. That same policy is now brought to your on-premises or multi-cloud world. And so it uses, the way policy works is it uses declarative rules based on properties of target resource types, including your Windows and Linux operating systems. And so administrators can apply policy assignment to resource groups, subscriptions, or management groups. So that's why when you group your Azure VMs or your Arc-enabled VMs into resource groups, you can just apply a policy to that entire group or to an entire subscription if you wanna do it that way. And so policy makes your auditing and your compliance just so much easier. Yeah, and it's very flexible because management groups, you can like pick and choose different parts of different subscription, for example, to be in a management group as long as it's in the same hierarchy. Right, I think some common maybe policies we see or you can identify Arc-enabled servers running Windows that are not joined to a specific active directory, domain services domain, that will really quickly help you reveal which ones need to be connected properly to AD or you can identify servers without the log analytics agent installed. So you can make sure that you can properly query all of those servers. So lots of possibilities. I mean, any policy that's running in Azure can be run on an Arc-enabled server as well. Yeah, I really like the one that's, which everybody should have applied to all of their machines is the one that basically forces you or identifies servers that don't have tags. Right. So you can go back and put the appropriate tags on them and the tags can be like who's responsible for it. So you don't end up with that 2008 server that nobody knows who's supposed to be taking care of. So policies can be very pragmatic and can be very like compliance based regulation. You can use them to fit your needs. And here's a great visualization kind of of how a lot of these work, right? So your governments and your compliance are critical to your business with kind of that cloud operating model. And so with Azure policy, you can set guardrails, you can do enforcement and you can ensure that everything's working together. So all of that stuff, which was typically available in Azure, now through Arc can be brought to your various environments. Yeah, and I like the fact that the policy can either just show you what's wrong or can actually have remediation attached to it as well. Right, absolutely. Cool. All right, I think this, we covered this, but why don't we show, if we wanna talk about how you can assign Azure policies to Arc-enabled servers. I mean, I think the great thing is you can do it all from the portal and very easily. Once you create a policy assignment, you'll be able to review the outcome of that policy evaluation on those target Arc-enabled servers. So when you create a policy and assign it to a certain resource group or a management group or even maybe your entire subscription, it gets applied to those Arc-enabled servers. Yes, and we do have a demo for that. Oh, great, let's pull that up. Okay, so Loran, the Arc policy server, yes. Let's wait for it to start. So if I'm looking at that same demo environment, I can look at my server 2019 and I can go to policies. I can go through it through the machine or through the top for policies. And then I can assign a policy and then that's the scope we were talking about earlier where you can say to a specific resource group to a specific tenant or subscription. In this case, I'm only applying it to my demo environment. Then I can actually exclude certain sessions from that. And then I pick a policy and this one, I wanna have the guest configuration policy for Windows. And I apply it, I will in production put a description that is something that will tell me why we applied to this policy and review and create and then create the assignments. Now the assignment basically identifies which machines are going to be part or that policy is gonna be applied to. It will take a little bit of time to actually start reporting. So if I look at that and I'd say the guest configuration extension is installed, currently I am not in compliance whereas not started because the machines, as we mentioned, the arc agent are polling to get that info. So I'm gonna add the same policy or the policy, the appropriate policy for my Linux box using the same scope and exclusion and the policy definition I'm gonna use is the guest configuration for the Linux machines. So a guest configuration enabled for on Linux VMs. I'm gonna select. Now, once those policies are assigned and the agent on each of those arc enabled server, pull the system and say, hey, do you have a policy for me? That policy will then be downloaded and applied to those machines. So right now it still says compliance state has not started because it will take a little bit of time for that agent to actually get the information, process it and then report its sessions back. But earlier, we talked about patching and you can enable other services. I just wanted to take in that demo because I was already there to show you that I enabled it a while back, but now if I go back to my update management, I can see that I am in compliance but I am missing four updates on that Linux server and they're not critical or not security. They're probably just like fixes and stuff. So I can at that point either leave it as is or I can actually schedule a deployment for that machine. That was it. A policy applying policies to those machine is really, really simple. Configuring those policies is based on what you need and what your company legally requires. So be sure to talk to your lawyers and to your management as to what you need to actually deploy. Absolutely, Pierre, do you wanna talk about DSC? Yes, so DSC, we talked about this a little bit at the beginning, so desired state configuration which is a PowerShell kind of service where you implement a declarative state. So you tell those servers under this particular policy, the DSC policy must have IIS installed, must have this installed or can't have this installed. And then it runs and evaluates it constantly and then if it finds that the service IIS for example is not there, then it'll install it or turn it on. If it's there, but it's not supposed to be there, we'll turn it off or remove it. So it's a combination of PowerShell scripts and operating systems features that are surfaced up through Azure Arc-enabled servers. So what you do for your VMs in Azure for DSC, you can extend to your servers on-prem or wherever they may be. And then lastly, we've got Azure AutoManage. We talked on this earlier as well, but AutoManage, which is still in public preview, is the ability to automatically bring all of these great Azure services to your virtual machines and automatically enable them so they will just run. They'll manage Drift and correct Drift and it's detected. And you'll also in public preview is the ability to use Azure AutoManage for your Arc-enabled servers. And so if this is something that you're using in Azure and you wanna bring it to your Arc-enabled servers, know that you can do that. And there's some great capabilities like insights monitoring, update management, guest configuration, log analytics that you can bring to your Arc-enabled servers all through AutoManage. And that's something we're really excited about. And I think that also brings us to our knowledge test. So as we finish up this portion of the learn module, let's get to our first question, which is, which VM extension can the administrator add to Azure Arc-enabled servers to start monitoring it with Azure services? Pierre, what do you think here? That one, like the QALIS extension allows for monitoring mostly on the Azure defender, so on the security side of things. But I think in this one, it's probably more on the log analytics part because log analytics is a dependency to Sentinel and defender because you actually need to get the logs before you analyze them and see if there's vulnerabilities, correct? That is correct. Yes. As Amy would say, X gets the square. All right. And our next question, what can the administrator do in order to audit change, in order to audit changes the state of operating system of Azure Arc-enabled servers? Do you think you would check advisor, search through the activity logs in the portal or apply the Azure Guest Config face policy? Well, in a way you could do all three. In a way you could do all three, but I think in this point, because we're really thinking about the state of the operating system of those machine that we would be looking at the Guest Configuration policies. That's correct. All right, we've got one second left and let's get to it. And so what are the security and monitoring capabilities of Arc-enabled servers? And I just wanna talk about why hybrid and multicloud security is so top of mind. I mean, I think it's no secret that innovation in all of our apps and databases and things that we're developing makes it really hard to have a secure landscape. And we're facing, I think everyone has read the news of just the unprecedented attacks that are going across different companies and the amount of ransomware out there. So security tools are somewhat disparate as well and aren't well integrated into the DevOps lifecycle resulting in patchwork security. And so all of this adds up to just this overwhelming noise making it really difficult to actually pinpoint the complex threats from a massive influx of security signals. And so that's why having a simple secure tool and provider for your hybrid and multicloud I think is really important. And there's kind of three scenarios that we hear a lot from customers. We need security for our hybrid identity for our cloud posture management and protection and our analytics. And this is where Azure Arc can come in. And so you can bring the best tools from Microsoft like Microsoft Defender for cloud or Microsoft Sentinel into your hybrid data center, edge multicloud environments and a really, really comprehensive set of security. And so, yeah, do you wanna go ahead? No, I was just, I was gonna say on-prem there are a number of different tools that you can use. But one of the greatest thing about this particular set of tools and especially in Sentinel is the way the AI that's built into the product that could analyze all of the information that you're getting from those multicloud and data center and edge devices to actually pinpoint where the attack may be coming from or that's progression through your system. And if you don't have that visibility, if you don't have that capability of those machines on-prem or wherever they may be that reports up that information, there's a blind spot in your environment that this Azure Arc can actually fill. Right, absolutely. And again, it's bringing the power of the cloud into your on-premises estate. And in this way, you can have one service for all of your Azure applications and for your Azure Arc applications that are running on-prem. So what are the security and monitoring capabilities of Arc-enabled servers? Well, I think we're talking through this right now and we'll get into going deep on Defender and Sentinel and things like that. So Microsoft Defender, what are the benefits of Defender for cloud in a hybrid scenario? Let's look at this kind of great Defender slide that we have of what Defender can really do. And so Defender for cloud is a tool for posture management and threat protection. And so it strengthens the security posture of your cloud resources with the Defender plans and it protects workloads that are running in Azure, in your data center, in other cloud platforms. And so what it does is it hardens your resources, tracks their security posture, protects against cyber attacks and really sums things up in some of those really helpful tools that are in Defender, like Secure Score to let you know, hey, there are some potential weaknesses that you're gonna wanna address in these areas. And you can use that to continually improve your score. Pierre, how have you seen Defender and Secure Score used to help customers understand their security environment better? Well, Secure Score sometimes is misunderstood. Yeah, it's not something that executives will meet at the, on the golf course later and say, my Secure Score is like 575. Oh, yours is 800. Oh, you got me beat. No, because it's a score that is dynamic based on how many resources you've deployed and the attack plane that they's surfaces may have. So the more resources you deployed, the more your score can be. And say if it's 500 on a possible 800, that means that there's 300 points, not necessarily 300 items, that are areas where you have an opportunity to increase that security, to cover all of those potential entry points. So by Microsoft Defender for Cloud, because it continually assesses and secures your environment, the Secure Score will come up and you can see that what your changes are, you've done actually apply and increases your score, which means it's not, you're just more secure than you were the last time you did. And there's a question on Learn TV that kind of lines up with that where it says Azure Arc seems to be focused on management and governance, but what about deploying application to multiple servers? Yes, you can deploy multiple application to multiple servers. It's not a deployment like SCCM would be where you could deploy applications to it, but it can facilitate deploying applications and or configurations, which configurations deployed to all those servers actually help with your security, making sure that you're all configured the same way and so on. So it helps you identify and defend your environments. Yeah, and so kind of making this a bit more real is you use Azure Arc to bring the abilities of Defender into your on-premises or multi-cloud estate for threat and vulnerability and management or that vulnerability scanner powered by Qualys. And there's so many great features that you can look into. So if you are in any environment where you're thinking, hey, we really need to streamline our security, we've got all these different kind of tools that we are trying to patch together that we think cover us, you should definitely check out Defender for servers because it's a huge benefit. And that also leads us into kind of the pairing that we see very commonly is Microsoft Defender for cloud paired with Microsoft Sentinel. So Pierre, do you wanna tell us about Sentinel and how it works and how customers are using it? Well, Sentinel is a SCIM. Basically, it's a security, it basically uses AI to analyze the security of your environment based on the data that it's collected across all of your machines. So if you're collecting data at scale, meaning from all of your VMs, from all of your services, from all of your environments, the more you feed it, the more it can more precisely give you environment into there's an attack has been detected and then you can investigate and say, well, it's been noticed here, but if we can drag it back to where it actually initiated, which was like a phishing incident or so on. So it allows you to detect through that collected data, investigate the event itself to see why it happened so that you can make changes to one your policy to user education or all of the above and then respond rapidly to those events as they're occurring. So that's the strength of Sentinel is because it covers those four major points giving you a great insight into your security posture. And this sounds like a Sentinel learn live, but all of this is only possible because arch-enabled servers are sending that information back up to the log analytics, which is then analyzed and looked at by Microsoft Sentinel. Yeah, absolutely. It's that birds eye view across your entire hybrid, multi-cloud Azure estate. And then I think the last big thing of our security and governance is Azure Monitor. You know, Azure Monitor, one of the most widely used tools is it's a centralized dashboard for monitoring all of your servers. You can see, you know, the networks they're attached to, you can identify its name, OS version, build, you can do alerting, log collection, and log analytics. And so it's just this insanely comprehensive solution and responding to telemetry for your cloud and on-premises environments. And I think that for, there's really three key capabilities that we use Monitor for. And so it's metrics, monitoring and metrics visualization. It's querying and analyzing the logs, like diagnostic and telemetry, and it provides deep insight into the monitored states of those systems. And last one is alerting and remediation. So alerts notify you of anomalous conditions and you can configure them to automatically initiate a corrective action to remediate the issue that resulted in the alert. And so if you've got, you know, a server that somehow drifts on-prem, maybe it's one of those old servers we talked about that you have no idea what it does and you're too afraid to unplug. Monitor, you can set up configuration states. And so if something does drift, it can automatically be reverted. Yeah, one of the great things, and I'm going to be going a little bit off script here and Laurent, you could switch to my shared desktop. I've kind of opened a screen, because you mentioned like what some of the things that we do with monitoring. Monitoring allows us, as you mentioned, to find all of the information. But I love the fact that if I'm looking at my Linux machine, for example, and I go to insights, insights will look at all of the data that that log analytics agent has brought up. And now I can see my Linux 01 machine, but I can see also every port and every other machine that it's talking to. So I can say that on port 80, it's talking to, can you connectivity check for Ubuntu? Okay, so I know that this is secure because it's just really checking for updates. I can see that over over port 53, which server it's going. So I know that, okay, so this is my local DNS server. So all right, I know I'm not being, I don't have a DNS eye jacking attack going on. Over port one, two, three, and so on. And I get all of the log events of that machine, all of the alerts, if I've got any alerts configured the connection, and I can all see what the changes have been in that machine over the past little while. So if something has changed, look a major service has been turned off manually, that would be a change. And I can investigate that change from that environment then all of that is possible because Azure Arc enabled server is sending the data that we have in terms of the metrics and performance of that machine and logs as you mentioned up to a log analytics workspace that is now part of Azure Monitor and Azure Monitor is surfacing up all of that great, great information. Yeah, absolutely. Well, I think Laurent, we can go back to my slides because that brings us to the end and into our final knowledge check. And so let's check in on what we learned and how we're doing. So what's the simplest method to identify the operating system of an Azure Arc enabled server? So we can integrate the server with monitor and run a log analytics query. We can use Windows admin center to connect to each server or we can use the Arc enabled servers blade in the Azure portal. What do we think here, Laurent or Pierre? Well, I think you can use all three of those. So that's the nice thing about Microsoft questions is that there's always a bit of an ambiguity here, but in this case, the easiest way is to use the Azure Arc enabled server blade. So you see all your servers and the OS they're running. Yeah, absolutely. And that's exactly what you showed in all of your demos, how you can use the portal to see your Arc servers wherever they're running as soon as you get them up there. Yep. And what's the primary Azure monitor related benefit of Azure Arc enabled servers compared with your non Arc enabled servers? I think you can capture diagnostic logs, generate alerts or you can deploy and configure the log analytics agent via the VM extensions. Well, I think C makes B and A possible. Exactly. Right, you can't get the logs unless you have the log analytics agent via the VM extensions deployed. It's like a chicken and the egg thing. Yeah, absolutely. Well, this brings us pretty much to the end. We talked today about the characteristics of Arc enabled servers, the core capabilities and our core management and governance scenarios. And so we really hope that you've enjoyed seeing all the benefits of Arc enabled servers and there's tons more on Arc enabled Kubernetes and governing your Kubernetes clusters that run on-prem, Arc enabled data services, Azure Stack HCI. And so for more information and things that we talked about we really hope that you take the learn module on Arc enabled servers and we have tons of resources that you can go and check out and look at. So be sure to take a look at the learn module and reach out to us with any questions that you may have. Yeah, and keep an eye on the learn live page for the rest of the Azure Hybrid Cloud Study Hall series. Yeah, absolutely. Well, thank you all so much for joining. We know build is coming up. We've got these other learn live study halls coming up. So so many great things for folks to sign up for, learn more and continue to scale up. All right. All right. So I'm Pia Roman, Cloud Advocate at Microsoft and... Nate Waters, Product Marketing Manager for Azure Arc and Microsoft. Thank you all so much. Yeah, and Twitters are just here if you wanna get with us. Absolutely. Thanks for joining us, people. And have a great day. See you around.