 Good morning. Good afternoon. Good evening. Maybe you're up for a midnight snack, but welcome to episode five of the Live Learn Azure Hybrid Cloud Study Hall. It always gets me and we're going to plan and deploy Arc-enabled servers. My name is Amy Collier. I'm a Senior Cloud Solutions advocate at Microsoft, and I'm so excited to have John join her with me, a super big time MVP. Thank you very much, Amy. It's great to be here. If these are the introductions, I'm a 15-year Microsoft MVP and heavily a fan of Microsoft Management Technologies. Yeah. Your enthusiasm for the Arc platform itself is contagious. I'll have to say that. Thank you. We're warning people, I'm going to get excited. That's good. We have live demos. You can follow along with us. You can scan that QR code or go to the HTTPS slash slash aka.ms slash learn live dash 20-22-04-28-A. Join us. You can join the chat on YouTube and Twitch today, I believe, to ask us any questions. We also have a great moderator. Say hi to Michael Godfrey. He's another Senior Customer Engineer from Microsoft. Thank you, Michael, for helping us out. Let's see why my slides are not progressing. Come on. Again, we're going over the plan and deploy Azure Arc-enabled servers at scale. It's part of a series. You can go back to the introduction to get started. We're excited to have you with us. You can complete the exercises as we go along, as John shows them, or you can come back and watch on-demand. Again, there's the URL and you can scan the URL code to join in. Then we're also going to have a poll of the questions, so you can interactively answer the questions with us, make sure we taught you well. If not, you can throw tomatoes at us, but hopefully you learn something from this session. What we're going to go over, we're going to understand Arc's built-in supplemental security functions because now you're enabling servers that are maybe on Promises or in someone else's Cloud, and now you're bringing Azure functionality to that. What does that mean? We're also going to evaluate different deployment avenues. John will show us deploying to one server versus deploying to many. That'll be really cool. Then best practices for Arc-enabled servers, like governance, policy, our back, anything you want to add, John? Yeah, we're going to do a end-to-end demonstration of the at-scale deployment. While we're going to touch on doing one at a time when we'll acknowledge that, that was the topic of the session the other day, and we're going to dive right into the at-scale. We're going to have a deep dive in that. We're also going to have fun at the end. We're going to be crafting a Azure Monitor Alert to let us know when our Azure Arc servers go down, or have a problem communicating with Azure. Great. Sounds fun. Can't wait. Our introduction, as it implies, Arc bridges the gap between your on-premises and Cloud environments, bringing you that single pane of class, and allowing you to use the Azure platform like Sentinel or Azure Blob Storage, bring those services closer to your on-premises or other Cloud environments. The thing that gets me excited, and I added the comment on this slide about the premise of Azure Arc being compelling, and it's the why of Azure Arc. For me, it's the economic appeal. It is the unstoppable appeal of Cloudy fundamentals like on-demand, user-directed self-service, granular chargeback, pool resources. Those characteristics of Cloud computing that have enabled the Cloud to thrive and grow and become a dominant force in competing on our planet. Azure Arc is saying, let's examine the management technologies that are part of that, and let people take advantage of them. The next almost could have been predicted, as Cloudy technologies move ever outward and ever upward in the IT stack. Those methodologies that are themselves Cloudy, or rooted in those Cloudy principles that are efficient and economic and scalable and secure. It's not just a gimmick. Azure Arc is an outgrowth of the unstoppable forces behind Cloud computing. I tell my customers to acknowledge this and to start as rapidly as possible to migrate to Arc-based methodologies which are emulating Microsoft's proven hyper-Cloud, hyper-scale management techniques, emulating them and using them on-premise in your smaller environments. But even if you have 1,000 servers, you don't have any servers as Microsoft have a 10 million. I don't know, but Azure works at the multi-tens of millions of scale. If you have 10 servers or 100 servers or 1,000 servers, if you manage them the same way that Microsoft is managing its tens of millions, you're not going to have to invent any wheels. You have to take very little risk, so that's why I'm really excited about the program. Yeah. As we've seen, no one's picking one Cloud or staying on-premises. I have some servers that have to stay on-premise because of my data has to stay here or we're just not ready, so Arc really enables you to at least bring those Cloudy services like you said, I like that, to your on-premises networks, and also utilize that security functionality that, yeah, Microsoft has put years and years, you have teams looking at defender and you have Sentinel and to bring that all together for your either other Clouds or on-premise servers. It's like, that's amazing, so it's great. I love it. Yeah. This is the next two slides I added, because actually I just wrote a book on this topic. Azure Arc, is there's a book available co-written by Microsoft Steve Buchanan? I think you have a copy of it. I don't even have one to hold up, but this drawing is from the book and illustrates what you're getting with Azure Arc. Azure Arc is essentially free. It's officially totally free, but there's often microcharges, sometimes even just a few pennies a month, associated with collecting the data, but it's essentially free. With that essential free, you're getting all the below the iceberg stuff in this picture. All of that is taken care of for you. Who doesn't want to worry about 60 percent fewer of your core requirements and offload them to Microsoft for essentially pennies. It's an exciting time to be involved in management because for the first time in a couple of decades in some people's careers, there's a chance to refactor monitoring and management in a transformative way. Right. No, that's great. Yeah, it's actually exciting. It's weird to say that, but it's exciting. Steve, I apologize. Wow. But yeah, now you have governance and policies in place and you don't have to worry about it. I always hated that part on the customer side. Let Azure help you with that and with policy and updates. That's great. I think the next slide is the second of two illustrations that are mine. This slide shows what we're going to be showing in the demos and talking about graphically. The Azure Arc agents at the bottom and center, that represents a computer or an AKS cluster running anywhere. You mentioned on-premise Amy, but I'm also seeing a lot of cross-cloud, a large customer that may really enjoy Azure and have a large estate there, but they happen to have some apps that run in Amazon. They have 60 servers in Azure, but they have an eight server app that's running in Amazon. In addition to whatever else they may have, and Azure Arc lets them see all those machines, all those virtual machines, all those workloads in all the places, and Azure in their on-prem. If we get a chance to talk more about Azure Arc for VMware, for private Cloud, so that it's just an ever-expanding story of bringing into the Microsoft Management umbrella all of your workloads wherever they are. Yeah, I like to call that magical single pane of glass where you can just look in and you see all your servers. It's a cliche, but it's the truth, right? It's finally happening. It really is, it really is that. You know what we do instead of saying single pane of glass, we say source of truth. That's another spin on it. So we have our servers wherever they are, and the first thing that you see in this diagram is policy. You see two initiatives acting on the Azure Arc resources to do stuff, and we're going to do a deep dive into policy. It's going to be one of the first things I show you in the demo. We're going to have policies that act on our Azure Arc servers and the policies tell the Azure Arc servers to do things. And the principal functionality in Azure Arc is, and this is a takeaway for everybody in this session, is if you have to think, we'll describe in the elevator pitch technically, what is Azure Arc? It's Azure policy using the extensions method to install software and configure machines. So what is an extensions method, again, you're going to understand that intimately here in a second, but it is a feature of both the Azure Arc agent and a feature of the machines that are in Azure. So for over a decade, all of your virtual machines in Azure have had a thing called extensions. You may never looked. If you have Azure VMs and you haven't poked around, maybe you never looked, but there's a feature called extensions that have always been there for Azure VMs and it's an out of band communication method that the Azure control plane, the Azure resource manager control plane uses to communicate with the machine to install and configure management utilities. And the genius behind Azure Arc is that there's a little piece of software. Again, we're going to see it in the demo and the little piece of software that you put on your on-premises server emulates the extensions management capability that your Azure VMs have. So the policy says, hey, you're an Azure VM. Hey, you're an Azure Arc server. I don't care. You're a Windows computer. I have this policy that says, Windows computers need to have this and this and this. And it works equally on your Windows servers wherever they are in any cloud at any scale. Right, and Linux, right? Absolutely, we're going to see the four populations, Windows and Linux in Azure, not in Azure. Those are our four populations of servers and we serve them all equally and extremely well. So returning to our diagram, we have our Azure Arc servers. We have policies that install solutions and agents and that in the upper half of the diagram, we see a log analytics agent. We see a log analytics agent reporting to a log analytics workspace that has Azure automation solutions installed like update management and change tracking, right? And we can connect to Azure Defender for Cloud and Microsoft Sentinel and all the security stack as well. And I believe that so this diagram shows that we're attaching at the security side and at the monitoring side to our Azure Arc servers wherever they are and then doing stuff. And that's Azure Arc, right? Right, we're bringing the Azure goodness to you, wherever you may be. So thank you, those two slides were my personal contribution to establish relevance. This is a big strategic thing and to start bridging the gap between concepts and actual things, actual software artifacts which are demonstrated by this slide and we're going to see in the demo. Right, and it's really important for people to realize, again, you might not have a cloud migration policy but you can still utilize Azure's power to manage your on-premises servers or so it could be that first step into cloud for you if you're still rolling on promises, yeah. So when you brought up, again, the Microsoft, you can have a business requirement to use, for example, Amazon. You can have a business requirement to use it in some way but that doesn't mean you can't benefit from this world-class best security solution that we're talking about today, right? You don't have to choose between Amazon's and Microsoft's or Microsoft's and somebody else's. You use the one that you like which is if you're a Microsoft customer and you like the solution, it doesn't matter where your workloads are and so you're actually then more free to cite those workloads on other things like cost or function and fit. And as far as staying in your single pane of glass, you achieve that. Yeah, it's exciting. So we'll go on, I actually added this slide here. So, but we've reiterated, really exciting. But yeah, you're getting that single control plane with Azure Arc, whether it's just infrastructure or services and then it's bringing you closer to those Azure services like you already said, Microsoft Defender for Cloud. Or I guess if you're actually using it on a server though, would it be Microsoft Defender, the other agent for a server? I don't know. Well, actually, okay, Defender for Cloud is the parent and then there's workload protections. There's 10 or 12 workload protections and the one that's relevant to Azure Arc servers is the workload protection for servers. So it's sometimes abbreviated as Defender for Server. Okay. But I think it's official long name is Defender for Cloud Workload Protection for Servers. We like the long name. That makes sense. That's good, because it comes up all the time, the security options, you know, and is my data secure. And as we'll learn, the Azure Arc agent only sends metadata up to Azure. You're not sending data, data across the public internet. So you are secure. And then, oh, what happened? Here we go. Again, just another reiteration of you have your Azure Arc enabled infrastructure and then you can go out and use enabled data services and machine learning and the app services, function apps, whether it's on premises, VMware, Google Cloud, AWS. And then bringing in, again, I've always been brought up with having to have consistency and governance and security. So change control, role-based access controls, you know, group policy, you know, resource groups. So it's bringing, again, all that power into one consistent platform. Well, we kind of touched this. But here we go through the module. What is Azure Arc enabled servers and its capabilities? And we mentioned you can use Microsoft Defender for Cloud to improve your security, Microsoft Sentinel for threat intelligence, anything you want to add to that, John? Well, I just, I want to say that we are gonna, an objective that Amy and I have during this 90 minutes is to go through the learn module, right? So this, we're gonna pay attention to the eight modules in there. And we're gonna make sure that we touch on the content on all of them. For some of them, we'll have more chat, we'll have demos or peaks at the features. And others will, we may not have content on, but we'll make sure that we talk about them. So you'll know to go research it further. You know, the objective of this whole series, you know, is about learning. And I like learning, so, you know? And I just want to say that, you know, although we've been chatting, we've been free associating. Now, Amy, I don't know about you, I'm gonna have my eyes down on, you know, what we're supposed to communicate and make sure we get it out. In terms of what an Azure Arc agent is in terms of its capabilities, we've talked about that. And you just, we've talked about it like in three different, from three different angles. And then we're gonna keep talking about it. So the thing that the learn module goes into next is an overview of the connected machine agent. And this might be the first demo area. Do you have the, can you go to the overview of connected machine agent? Yes. There we go. So there's the, these three bulleted items on this slide correspond to three services and processes that exist on your Azure Arc servers. It's the same number of processes and this essentially the same named processes, whether it is a Windows server or whether it is a Linux server. Linux servers have three daemons. You know, Windows servers, Windows computers have three services. And the three services and the three daemons, they do this essentially the same functions as they're described in this slide. And the, if, you know, the first thing we'll do is I'm ready to show a demo of a, here's, you know, now we're taking that from the slide to reality, we're looking at, we're looking at it as an Azure Arc server. Okay. And so what are those, what are those, what are the services look like? What do the, what does the software look like? So the first thing I think that I'll show you is here in the Ad Remove programs. So this right here, Azure connected machine agent, that is the Azure Arc agent. A few minutes ago when I was talking about Azure VMs having this out of band communication utility that principally functions through the extensions mechanism. And the Azure connected machine agent, which is the little piece of software that gets installed on your non-Azure servers and turns them into Azure Arc servers. It is this connected machine agent that is doing that same type of communication, that same type of out of band communication with the Azure control plane and then using extensions to get the work done. So when we get into the second big demo coming up, which is the end to end at scale deployment with a script and service principle, the end product of that onboarding activity, it's a script that when you run that script, what happens is the Azure connected machine agent gets installed machine. So this piece of software that you see in Ad and Remove programs, this is the one and only agent you may ever have to install on your Windows and Linux servers because once your servers have the Azure connected machine agent, all of their other current and future Microsoft agent-based and utility-based functions are gonna come through the Azure Arc agent through the connected machine agent. You will not do manual software installs of all of the other things. An example would be right here, the Microsoft monitoring agent is one of the pieces of software that's installed by the extension method. And in fact, right here, the Qualys Cloud security agent is another one. And the dependency agent is another one. So in fact, today during the demo, you're gonna see fingers crossed everything works. You're gonna see that we install the connected machine agent. And because we have policies in the subscription, in the resource group where we're gonna create the Azure Arc server, the dependency agent and the Microsoft monitoring agent are gonna get automatically installed very rapidly, hands off and show up here in AdRuby programs. Even though we didn't actually go and install them on the machine, the Azure control plane did the work for us. So the one thing is to communicate how the software presents itself and what, it's again, you're gonna look for the Azure connected machine agent and then the rest, the other software titles, it's gonna look, it's gonna take care of. And if you installed a piece of software with the virtual machine agent through policy, the proper way to unwind that is to uninstall the extension. If you uninstall the extension and installed the Microsoft monitoring agent inside the Azure Arc server, it uninstalls the Microsoft monitoring agent. You don't wanna interfere with the automatic mode. So that's the one thing I wanted to show you inside this machine. Here's the services view. Now you'll recall the slide that we were at before we dropped into this demo. It had three bullets on three services that I said on your Linux machines, there's corresponding daemons. Okay, here's the first one of the three. Oh, that metadata, yeah, so it gives identity into Azure, right? So, yeah, this is literally almost exactly what's running in your Azure machines, right? In your actual Azure machines. And then the other two pieces of software are down here under guest. The Arc service and the extension service. The extension service is very important. That's the main functionality, that's main instrumentality of Azure Arc is the extension service. So there you have it. You have the Arc service and the extension service doing work on the local machine and then the Azure metadata service. That's creating that object in Azure that's representing your Azure Arc machine. So there I wanted to show those two pieces of an act. So what is an Azure Arc server? You just looked at one. It has three services and it has some software. One of the pieces of software you installed. The other pieces of software were automatically installed by the Azure Arc agent. And so along the same theme of what is an Azure Arc server, I've pivoted to a view of the Azure portal. And we're looking at the Azure Arc servers blade. So this is a list of servers, Azure Arc servers. And I've got one enabled, post one. And that happened to be the machine you were just looking at. This is the actual machine that we were looking at. And you can see in the extensions area of this Azure Arc server, there's five extensions. They all have a success status. And so like, how did that dependency agent get on that machine? How did that QALIS agent get on that machine? How did the Microsoft monitoring agent get on that machine? How was that machine connected to Defender for Cloud and getting that built-in Defender for Endpoint protection? All of this stuff was done. All these extensions were done automatically and by policy, right? I keep talking about policy. When we look at an individual Azure Arc server and we look at the policies blade, we can see the policies applied to this machine. This is the policy, this is the enable Azure monitor initiative that installs the dependency agent and the Microsoft monitoring agent. If we go into the details of this initiative, I was gonna, well, the initiative has 10 policies inside and the 10 policies together cover the windows, the Linux, the on-prem and the in Azure. So this one initiative that contains 10 policies is a key initiative and we've got this same initiative assigned to the resource group where we're gonna install our Azure Arc server in a few moments. And so you're gonna see this initiative in action on our new Arc machine, pushing those agents, pushing those agents. Back to our, cut just a couple of other high-level points when we talk about what is an Azure Arc server. What is an Azure Arc server? Fundamentally, I'm gonna do something crazy. I'm gonna click on JSON view. I'm gonna, this is your Azure Arc server's metadata in Azure, when we, again, helping you understand what is an Azure Arc server. Well, it's in addition to being a server not in Azure, either a physical server or a virtual machine in your VMware plant or a virtual machine in Amazon. In addition to being that, it is also a resource in Azure. And what does the resource in Azure look like? You're looking at it. It's JSON, which is the language the language that Azure Resource Manager uses. And basically everything in your Azure subscription, if you didn't know this, is defined by a piece of JSON code. And this is the JSON code for an Azure Arc server. You can see, for example, this is the piece of JSON code letting us know that this extension is installed. Like, again, when we click on the extensions tab and we look at Microsoft monitoring agent, succeeded, installed. How did this blade know that? Well, it went to Azure Resource Manager and it read that instance of code that I just showed you. And that is the Azure Arc server in Azure. It's a piece of code that represents a server abstracted from the actual server wherever in the world it may be. So that's another answer to the question of what is an Azure Arc server? So, you know, some other things that we, well, it's a securely managed server. Defender for cloud, Defender for servers turned on. Look, I have complete integration of Defender for cloud recommendations, findings, incidents, if there are any here on the blade with the server, exactly as you would have for an Azure virtual machine. That's really cool. So that's what an Azure Arc server looks like. So it's the agent to deploy all other agents. I like to say one agent to rule them all. It's been said before. It's an actor. Darn, I thought it would be the first. So why don't you, we've got a slide. If we go back, Amy, we've got a diagram and then we've got a very nice chart. You want the diagram of the connected machine agent? Well, I mean, it's no, I'm just looking at module two. After the three bullets, there was a diagram. And then a chart. The testing? The unit two of eight, overview of connected machine agent. Yeah, I have that up, yeah. Okay. I'm still seeing my screen. Oh, okay. Hook us up, do I? Thank you. There we go. And maybe the next portion of the document, there we go. Yeah, the overview. It's nice to see which ports it's talking on, 443. Yeah, this is, again, a drill down into those three services. Remember, we had the Azure, we had the services started with the word Azure up at the top of our services list, which was the metadata instance that's actually talking to Azure as an Azure object. And then we had the two guest services. We had the guest configuration service and the guest extension manager. And you can see that the instance metadata service is talking to one part of Azure, which is your Azure resource manager. That's where your Azure resource record is created. And then the other pieces are talking to the guest resource provider that's saying, oh, you have an extension to install. You have a job to do. Go and install it. And that all of the, on the right hand side of the diagram, we highlight that Azure Active Directory is providing the security underpinnings of this. And when we get to the next demo and we create our service principle and we assign an Azure RBAC-based role to that service principle, that will be clear. That's what we will be doing. Oh, there we go. I was trying to do the highlight for you. Okay. Let's see some other intelligence from this diagram. When we look at the Azure admin in the upper right hand corner, that it's highlighting different tools, different ways to get into the system and use it. Yes, you can use the Azure portal. You can use the GUI. There's also Azure CLI and Azure PowerShell, which you can run both of them from CommandShell. We'll be using CommandShell later. And then Azure SDK would represent using a REST API to communicate with Azure. So for larger enterprises that are, once you start using this and you realize, wow, I have so much valuable data, so much inventory data in that Azure Arc has collected at low to no cost for me. So how can I use that data? And if you have medium to more advanced skills, it is extremely well-documented how to communicate at the API level with Azure. And you can connect your troubleshooting tools, your ticketing tools, your systems management tools via the REST API. So you have human-friendly, code-friendly ways to access this data and interact with it and use, remember the bottom of the iceberg. You have a lot of ways to use the bottom of the iceberg. That's great. A lot of options for people who are either, yeah, more versed in API programming or people who just want the basics. I'm a click GUI type of person. You can use it too and go through the portal. Oh, it's a huge difference to competing products because you have the entire universe of Microsoft solutions available, Azure-based microservice solutions using logic apps, function apps, runbooks. It's literally infinite, the extensibility. And it is not a black box. It's not monolithic. You're not at the mercy of any particular app team to get the data you need to achieve the level of visibility and security and control and monitoring that you need. You have very mature tools in Azure to use. Why don't we go into the next section? Let's go into the capabilities area. Yeah, let's go. Okay, so yeah, the capabilities, which we've mentioned a lot. So yeah, the document has like a table. It starts with Azure resource and then defender for cloud. Is that in the slides? This one? There we go. I think that, there we go. So this table would represent, remember back to my Vizio with the icons and I said the upper half, that represents solutions. So these are solutions. These are instrumentalities and functionalities that are available in Azure that extend down and you fully leverage in the Azure Arc scenario. So the first one, Azure resource, it makes your Windows and Linux servers Azure resources, even if they're not in Azure. And like, why would you care? What is the value there? Single pane of glass. I can now use Azure resource graph and Azure log analytics queries to return a list of all of my servers or all of my apps in whatever cloud of whatever OS. I can tag my servers regardless of OS or location. I can control security access. I can assess costs, right? All of these are things that come free with snapping into the Azure resource manager model. And it's maybe this is a geeky, this is the geeky part, it's the abstracted part. But it's like when it's bringing, putting all of your ducks in a row so that you can see them all in one row. You know, why would... Your job to manage it, this makes it easier. That's why it's exciting for me because it'd be like, you know, my boss saying, hey, make sure you have everything monitored, we're not going over cost, everything's secure. Well, you got stuff over here and stuff over here. Oh God, I got to log in over here for, you know, my center. And then now I got to log into Google. Now I got to log into Azure, you know. So you can say to your bosses or auditors, what is your single source of truth? Azure, my Azure resource manager, the templates, the code in my Azure subscription represent all of my IT estate. And that would be accurate. Yeah. Okay, so we've got defender for cloud, fantastic, fantastic integration, defender for cloud for servers comes, you know, it delivers defender for endpoint, it delivers the QALIS vulnerability agent, it delivers adaptive application and network hardening, you know, stuff that, you know, if you enable the, for example, the adaptive application hardening, you know, once you've gone through a learning period and enabled the feature and turned it on, it will act, you know, 24 seven, automatically it will block a new app from running, right? And it's almost hands off. You just have to purchase the license for defender for cloud and say, I wanna use this feature and turn it on and boom, you've now enabled a huge protection, right? So defender for cloud has many, many features and you bring it and extend it to your servers anywhere. This I think is one of the biggest selling points of the whole Microsoft solution right now because, you know, if you're a big IT admin and you have servers in Google and you have servers in Amazon, you have servers in Hyper-V, you have servers in VMware, you have physical servers and you're like, these are huge vectors for malware and bad actors, like what can I do to keep my job? What can I do to keep my company, right? What deploy, defender for cloud across all of your resources everywhere, it's extremely credible, it's extremely effective. Yes. And just adding to your tool set, you already have a tool set, you know, for maintaining your on promises environment, but now, you know, you're just adding to it with the Azure Arc capabilities, you know, like we're showing with policy and monitor and so you're just kind of adding to your, all your weaponry against the back. Yeah, you don't take anything away from what you have. Exactly, it's not replacing your job, it's enhancing it, if anything, you know. The next two items, the Sentinel and Azure Monitor, you know, that's your security centric and your monitoring and configuration centric solutions for Microsoft, again, fantastic perfect support for both platforms, you know, as at my company, we're a huge growth in part in our company in the last couple of years has been managed Sentinel instances and when we go out to customers and they have machines in Amazon and in Azure and on premise, I mean, it's very rare the customer that has only one place where their servers are, they're almost always a hybrid model and so to be able to roll out, you know, going to the next bullet item, Azure Policy, to be able to deploy a single policy to an enterprise with many thousands of machines in many dozens of clouds, one policy, consistency. It's, I mean, I wouldn't want to do it any other way. Right. Now that I know about this way, Azure Automation is absolutely a huge, I'm a huge fan of integrating Azure Automation with your Log Analytics instance, enabling automatic deployment of the Azure Automation tools. There's one that is free, which is the update management and this is basically every Microsoft customer, big or small, should have this turned on. You know, it is literally free. Well, if you're not using any other services, I'll let you know, we did research on it and it comes out to between 20 and 40 cents a server per month, between 20 and 40 cents per server per month. Wow. To update the server? Oh, wow. To run, if you deploy Arc and Monitor and the only thing, I mean, you're very careful to deploy nothing else but the automation solution, the just the raw cost to move the digits around is 40 cents a month a server, you know? That's great. You know, everyone, that can then become your updating solution for your company or it can become an out of band check, you know? It can become an out of band check that your primary patch system is working. And like, why would anyone not deploy that? They just don't know about it. That's my attitude as I'm trying to evangelize. That's why you're here. Thank you. That's the good word. So that's, I really like that list of, because like, what do you do with Azure Arc? What do you get from Azure Arc? How do you save money? How do you even save your job or your company with Azure Arc? That's what makes it exciting. And not that it's a free control plane proven at hyperscale, right? No, wait, I, wow, it can like, you know, it can help me out so materially. I like to show that. Yeah, I think, I mean, we're about halfway through our time. So if we want to start getting into the good stuff, like demo. Yeah, let's do the good stuff. Let's do the good stuff. So we're going to test the Azure Arc-enabled server capabilities using an Azure VM by tricking it into not knowing it's an Azure VM. So this is a good way to practice at home if you don't have it, you know, make it out of a band. You don't want to pay for an EC2 instance. You don't have anything on promises you want to work with. You can use an Azure VM and uninstall agents, right? And then make it an Arc-enabled VM. Yes. We're going to... In a second. The two major things that we're going to demo and thanks for reminding me that we're halfway isn't amazing how the time is going. It does. It goes like fast. Yeah, no problem. The two things you're going to see are the true meat of this module, you know, how to deploy Azure Arc at scale. And you're going to learn that we can easily get this done in the remaining half. And there's, I'm going to show you, when we look at the learn module, like the most complicated parts or maybe the hardest parts to imagine are the two I'm going to show you. And they are how to take an Azure machine and turn it into a simulated Arc machine. Which I, until I, to be honest Amy, until I prepared for this learn module, I had never done this. I knew about it, but I thought... Yeah, I know it's not supported. You don't want to know. Yeah, I know too much of a purist. I poo-pooed it, right? But it's actually, you guys are going to see it live in a second. It's super easy. It's super fast. It's super convenient. And when you're first learning about Azure Arc, you know, even if you have a private cloud, you know, in your office that you connect to via VPN or whatever, even that's a little bit of overhead. You got to provision it. You got to have your VPN running and everything. You know, and, but you'll put your, do your first learnings the way we're about to show you with, if this makes sense to you, on an Azure VM converted to this purpose. And then it's just super lightweight. You can access it from anywhere. You know, you can start over it when you're done. You just delete it all in two clicks. Right. You have a Windows VM running, right? Yeah, that's where we're starting. We're starting from this machine right here. So this is a virtual machine that has just been spun up in Azure. I've taken care to do absolutely nothing to it. So it's just like you would get, you know, have, if you spun up a new Windows server in your subscription. And if we look at the extensions, I'm hoping it's gonna be blank. It's supposed to be blank. I need, I want, because in this case, we're not, we're not using the Azure VM as a, okay, that's fine. It has one extension installed. Maybe you know what that's for. I forgot the password to this VM, like five minutes before showtime. And again, power of Azure, power of the cloud in less than two minutes I was able to recover. And it was using the extension to reset the password. So this extension is gonna be harmless for our demo, but I wanted to show that I don't have a Microsoft monitoring agent. I don't have a defender for cloud agent. I don't have any extensions on this Azure machine because I'm gonna, I'm using this, this Azure machine to just create a Azure Arc Machine and then the extensions for the Azure Arc Machine are what I'm interested in. So I've got a pinhole open for the IP that I'm at in the network security group of this machine. Yeah, be careful. Rod Trent's watching and he's just for security. Rod, are you out there? Hi, Rod. Yeah, Rod said Sentinel's all the good stuff. Thank you. I'm presenting with Rod in Minnesota next week. God bless you. So this little thing here, prompting you to try out Windows Admin Center. That's kind of your tip that this is a brand new machine, right? And so being a machine in Azure, this machine has some things on it that we need to turn off. And there is a link to this website in the learn module and as well as the entire content of this page is in the learn module as well because the key part that we need is this code right here. So we're gonna run these two PowerShell commands in our machine in Azure. So what is it essentially doing? Stopping the Azure VM service? There we go. The first thing it's doing, you should recognize this service, right? We saw it in the services list. Boom. We just disabled it. Boom. So we've disabled it and now we're gonna stop it. You can see that I'm just pivoting, I'm cutting and pasting from the document. That's what convinced me that this is actually pretty easy. Yeah, if we write it for you, just copy paste. And here's the commands in the Linux environment. There's the Linux statement that I referenced. There's its name. So depending on Windows or Linux, you choose the PowerShell or the bash code and then there's one more line, which is to block network access to the... Identity agents, because you're gonna install that identity agent through Arc, so it won't get confused. There we go. So you can see this 169.254 address. That's an address that's only accessible from Azure. And this is like a tip. Azure machines and processes use whether they can get to that address or not to let them know whether they're in Azure or not. It's a tattletail. And so we block network access to that and now the machine thinks it's not in Azure because it can't get to that IP. So stopping and disabling the guest agent and then blocking network access from the IMDS agent, those, that's all we need to do. That's all we need to do. But yeah, now it's probably... Now we're ready to install the Arc agent, okay? So that's it. This machine is now, it thinks it's not in Azure anymore. So now let's deploy at scale. And the first thing I'm gonna do is I'm gonna open a cloud shell. I mentioned that, and what we're gonna do in the cloud shell is we're gonna create a service principle. And that's so it won't ask us to log in a bunch of times. Yeah, so I guess, you know, if, let's go to our Azure Arc blade. You can tell it's live at least. There we go. And we are gonna onboard a server. So we go to server's add. And again, I said we were only gonna talk about this for one quick second. And, you know, we did a learn module the other day on this topic. So you can see this happening live and in great detail, the single server method, okay? But we are, and the single server method, what it does is it leverages your credentials as a human doing this. And it has like a three step procedure where you log in to Azure as yourself, as your user account. And then if you have the rights to your subscription to add the Azure Arc server, it happens, right? Within your user name explicitly. So that's the difference is that the script that gets created in this one prompts you to log in. We're gonna do the script that doesn't prompt you to log in because you've seeded it with a service principle that has the authority to do it. So, you know, when we, now here's the second article and this again is linked from the learn. And you can see when we, one of the first steps to connecting Azure Arc servers at scale is to create the service principle. We're gonna do that together now. And we're gonna use the Azure PowerShell method. So I've got PowerShell's stage to do what's right here. We're gonna do it in the command shell. And again, that's so we don't have to log in and be interactive. We can onboard a bunch of machines at the same time. Absolutely. The script that we're gonna run one time could be run a thousand times. Right, okay. I mean, you couldn't do it one at a time. Okay, so we're running the new Azure AD service principle command. We're giving it a display name and we're specifying this security role. This is a very granular, very low privileged account that can only do one thing. It can create new Azure Arc server records in the resource group that you've given it permission to do so. It can't do anything else. It can't delete them. It can't see where the ones are there already. All it can do is create new ones. So that's, we've now created it and we've stored and we've stored that in a variable called sp. Now if we just type sp, that's gonna return the variable. So there we can see we've successfully created the service principle. Great. Now we need to do, we need to lift the secret out of this, which we can do in this session. Nope, password. Well, let me go look at my... That's why we need the learn module. All right. Is it copying the whole command or it looks like... Well, gosh, I've only done this about a thousand times. You know, we can do it again. Let's do it again from scratch. Okay. Honestly. I'm doing it... Keep time, Ignas. If you wanna get all the fun stuff covered, we gotta make sure we're on time. Okay. Yeah, I know. Okay, just, yeah. Okay, so now I've, what? Okay, hold on. This is important to see. This is real life. You might run into this. Okay, what was happening there was running into the wrong command. The wrong way. You're not in your cloud shell. I wasn't in my cloud shell. Yep. There you go. Boy. When you're presenting, it's like you're a little disjointed sometimes, you know? So did our output look like the output? It didn't. I wonder if... We're following the commands exactly from... Azure PowerShell. Yep. Okay. Well, folks, you know, the gremlins have struck. Frankly, our output is not matching the documentation at Microsoft, which is a surprise. Again, I do this all the time, and I'm not, you know, when I do create the role and I return the string, I don't see all this stuff. I only see one line. So gosh darn. Well. So to make the best use of our time, you know, imagine, you know, let's follow through with the online example. Right. And when you do run these commands, you will get the service principle secret. So there will be a GUID, a password that looks like a GUID, will be returned on the screen. So my apologies, I don't know what to say. It could be, yeah, Ron, it brought up another good point. It could be something between the version of Azure PowerShell module installed and the CloudShell versus what you might have on your PC. So. I'm not using my PC. This is in CloudShell. All right. This is what you might install on your PC. And it worked, it worked two days ago when we... Of course, it worked when, you know, no one's watching. It does work, we promise. Let's go click through the generate script and I'll show you where you would paste the information. Okay. Yes, we promise it worked. It worked. The demo gods are just... I don't feel bad, honestly, because I'm not getting the return that it even says in the Microsoft doc is what you get. And I've done this literally hundreds of times. So either something has changed or something is temporarily foobar, right? Right. So we will continue. So when we choose to add multiple servers with Azure Arc, you have a few decisions to make. You need to choose the region that you're going to install them to. You need to decide whether you're going to be using a private endpoint or a public endpoint and almost always you'll be starting with a public endpoint. And it's very important that you choose a resource group. And I pre-created a resource group for our Azure Arc server. And it's generally recommended that you create a new resource group for several reasons is that you want to, you know, the service principle that if we had been fully successful at creating it, we would have applied its security granularly to the resource group that we're going to put our Azure Arc servers in. So that service principle that has the ability to create new Azure Arc servers, we want to further restrict that account to only being able to create Azure Arc servers in a specific resource group, not in your entire subscription. So it's recommended that you scope that to a resource group. And so that's number one reason. And then number two reason is policy. You know, you can see my resource groups. I have a resource group named Azure Learn. That's where I put the Azure VM, the Azure VM that's our simulated Azure Arc server. I don't want it, didn't want it to have policies, you know, but then the Arc group, I do want the Azure Arc server to get software to get policies. So I have policies assigned to that resource group. So I've selected a resource group to be granular in scope security-wise and to be granular in scope policy-wise. And I would need to pick, you know, I need to pick that resource group at the time. Right, and it's good for life cycle management too. You have all your, you know, same eggs in one basket kind of thing. Oh, now, hey, the day has been saved. Look, Rod, because I've run this before, it's aware that I've got a service principle there. Okay, cool, so it's gonna work. I don't think it's gonna know the secret. I don't think it's gonna know the secret, but it's gonna generate the script properly. As something I'll note, you know, you're prompted when you create your Azure Arc service to optionally put data center and city stuff in, and some customers find this extremely useful. The data center tag in particular is projected into the Azure Arc console views. And so if you religiously populate the data center tag when you create and move your Azure Arc service around, it'll be very useful, right? Yeah, where is it coming from? Right, just call center, I always like that too. Yes, absolutely. Tech girl, Kristen mentioned, it'd be good for us to troubleshoot why we're on this, but unfortunately we're limited on time. I'd love to troubleshoot, but we have to get through the module. We have about 30 minutes left, so. So I copied the at scale script to my clipboard, and I'll paste it in here. So this is the output, the customized output of the at scale script. So this is the important part, guys. Figure out the service principle. If you, you know, the article that I used as a reference, again, if we connect, this article also has the instructions on how to do it with the portal, right? Right. If we had an extra 10 minutes, we could just create one from scratch using the portal, but we don't have the extra 10 minutes. Yeah, about a half hour. Even if these PowerShell instructions for some reason temporarily are not working, like they are temporarily not working for us right now, your fallback is right there. It's eight steps in the GUI. And the out, so the out product is this script, and the only thing that's missing is the secret, which is only visible at the time that the service principle is created. And this, this right here, this line right here is very important for your Windows Server 2016 and earlier operating systems. This line is required for the script to work. It specifies what encryption protocol to be used for the initial SSL session. The information contained in this script, the service principle that you created will have the GUID associated with it and the secret associated with it. And those two parameters appear down in here in the actual line. So this line of code is the meat of the code that will connect your machine, your on-premises or other cloud machine to Azure Arc. And it's got things in it like your tenant ID, it's got critically, the resource group that you selected, right? So that's it, you're done creating the script. And at this point, if I had this value, if I was able to successfully run that PowerShell command earlier, I would have this value and I would save this script and I would pop over here to my Azure machine and I would run that script. I would copy the onboarding script.ps1 file, customized with that secret and I would run it. And I was planning on doing that live today, but you guys can do it on your own subscriptions. And the script will run rapidly because it doesn't require any human input. And usually in under one minute, after running that script, the server will appear in the Azure console as an Azure Arc agent. All right. Should we get on to the planning considerations for a secure configuration? Yes, please. I've lost control of my mouse. I really have, I really have guys. Happy Friday. Why don't you take us back to the, and let's cover what we... Yeah, we're gonna have to kind of fast pace if we're gonna get to the knowledge check. We might have to... All right. So planning considerations for a secure configuration, which you did go over. We have this fake company worldwide importers that are worried about security. So you configure your role-based access controls. Like you said, that role that Azure Arc onboarding that was only, it can only onboard servers. That's all it can do. So it's good to know. You can develop an Azure policy governance plan, make sure whatever your strategy is for your company, that everything aligns, and then there's advanced networking options with the proxy server or the private link, which will go over for your Arc-enabled servers. Yeah, the private link option, that's if your company has a policy that they're implementing Azure private endpoint and private link across the board to minimize or eliminate all exposure to public endpoints. There is a capability to create a private endpoint for Azure Arc as well. So although the general mode of operation is that every single Azure Arc machine reaches out directly over the internet to the backend of the service, there's also a capability to deploy an Azure Arc private link which would have an endpoint and an Azure virtual network that you're, because if you have designed it this way, your Azure Arc machines will have network level access over private networking and virtual networking to get to that private endpoint. And they can register themselves in the Azure cloud without ever having any network traffic leave the protected and private networks. That's great. So you don't have to worry about any data loss or corruption. Managed identity, we already went through that. So secure identities, policy governance. Again, we have those built-in compliance measures and security controls just to. Bringing all that benefit of the capabilities of the defender for cloud to your servers, HIPAA, SOX, high trust, CMMC level three, all of those regulatory compliance frameworks can be applied to your Azure Arc servers perfectly. I love that because we used to always have to be HIPAA compliant and you always think you have the most secure data center in the world and you know, but we do it at such a high scale that there's so much great security behind you whether you have two servers or two, you know, thousands. So yeah, I would go with Azure. And then- There's our list. Yeah, there's a list showing, you know, global governance there. And then that private link, that's- That's what I- Actually, I jumped ahead. I jumped ahead and that's what I was talking about. Oh, okay, yeah. So the customer that wants to completely not ever use the public internet. There is a solution in this product for those customers. So you just use the Azure backbone, which is high speed and it's encrypted and then you're just talking through that. Yeah, imagine that you have ExpressRoute connecting your corporate enterprise to your Azure virtual networks and you would create a Azure Arc private endpoint in your VNet and then your on-premise servers waking up in their VMware Clouds or the physical servers over your corporate backbone. They will find that route through ExpressRoute up into Azure and they'll register themselves. Great. So yeah, here's a great diagram going over that, the secure networking over the private link. Yeah, exactly. The learn module has a diagram demonstrating that. But we're gonna kind of- The next section we've really covered, the deployments is deploying to a single server and deploying to multiple servers. The key things for the single server is that you have an individual person that has the security RBAC role to add Azure Arc servers, which generally, if you have contributor or owner, if you're an admin of your organization, your account's probably gonna have the on-board Azure Arc server right by virtue of being a contributor owner. But maybe not. In a large organization, actually the people to do the testing need to be delegated the right to on-board Azure Arc server to the Azure Arc resource group that they're gonna do. And then the deploy to multiple servers method, it's identical, the script is identical, except that the part that the one at a time script pops up and prompts you to log in, the at scale script feeds it that service principle, grid and password. Yeah, you're not logging in to each server with the local admin root password, whatever it may be. You have the service principle, logging everything in for you. Exactly. Yeah, the different methods, does it give the list? Because one, there was one on one. Right, like how you deploy, you can use PowerShell, DSC. Did it have group policy listed? Does not, but you can use group policy. Yeah, that's in the learning module. It's not on the slide. And I wanted to share with people that that's the recommended way that we recommend for large customers. If you have Windows Active Directory and you have a lot of Windows servers, there is a method to deploy the Azure Arc agent with group policy using an immediate execution scheduled task. If you're familiar with Windows servers, have a task scheduler. And there's a way to basically do a one-off, one-time executable. And you can do in your search engine, deploy Azure Arc agent at scale using group policy. There's an excellent article at Microsoft Docs on how to do it. And it works. We highly recommend it. And we've had customers deploy 800 Azure Arc servers in a few hours using the group policy method. It's very effective. Nice. And you can just run now. Exactly. And as the article mentions, you may have other tools like SCCM, MEM, Microsoft Endpoint Manager, or automation tools like Chef or Puppet. So three official at scale ways is group policy using the Microsoft SCCM, MEM tools, and using general purpose scripting tools. Oh, right. And then deploying to multiple servers. Well, here you go, group policy. There we, okay. These slides are just not keeping up with us. Right, you're ahead of the slides. That slide is extremely valid. And I'd highly recommend if you people check out the group policy method. Yeah. Well, it was great to point out that you can also use automation tools, Chef, Puppet, Terraform, you know, deploy the script, whatever you like. You know, we're not forcing you to use one. And we just have one more module, the best practices. Oh, okay, good. Because we're on time then. I told you a little bit. I told you. So we went over, you know, the service principle, update management, you can connect through. Oh yeah, this is actually a new one. Yeah. If you have already deployed log analytics agent in your environment, let's say you are an early adopter of Microsoft Sentinel or Azure Monitor. And you've already broadly deployed the log analytics agent. And now you want to essentially upgrade, you want to go to the new model, which is Azure Arc Driven, right? So there is, you know, we covered this several times in the first slide. Remember, Azure Automation is a solution that installs into log analytics. And so if you have deployed the log analytics agent and if you've got an Azure Automation instance integrated, because for example, you're using the update management or the change detection features, there is a way using that to leverage that automation agent to push out the Arc, to sort of change the wheels while your car's running. So it's an added advantage to customers that have got the Azure Automation agent enabled on their services is to deploy Arc that way. That's actually a cool way. Yeah. So we're on to the last module. Yeah, so the best practices, it's talking about, you know, when I talk about organize your Azure Arc enabled servers, the first thing that comes to my mind, and I already talked about it, is the resource group. Yeah, resource group, tagging, yeah. Another thing that I should mention since this is the Azure Arc at scale, is there is a limit of 5,000 Azure Arc servers per resource group. So that's a third consideration when considering like what resource group or how many resource groups should I select and prepare for my Azure Arc servers. And another thing is if you have more than 5,000 servers, you'll need multiple management groups. So imagine a worldwide company with 3,000 machines in North America, 2,000 machines in Europe and 4,000 machines in Asia. It just makes sense that they would have three resource groups dedicated to Azure Arc servers at each of those three Azure regions. That would be a logical, we have them geographically distributed because the machines are geographically distributed. And you want to have your resource record for the Azure Arc server located generally in the same general geographic area as the physical server. So that's a reason for the very large enterprise, it's a good idea to geolocate your Azure Arc resource groups with where the machines are. So for geography and for size, is another reason on how to organize your servers. It's a good point. Yeah, so that's a good way to plan that. Which region, where are we gonna go? The learn module has a thing on making sure that you have an alert rule. Okay. Ensure Azure Arc server connectivity is that, I know if you just advanced the slides. Oh, yeah. No, I guess there's the learn module under organized Azure Arc servers. It has an item on using creating an Azure monitor alert to let you know if the heartbeat on an Azure Arc server has failed. Right. And that's, I highly recommend doing that as well. Maybe as if you're first getting started with Azure Arc and you get your first machine deployed and it's reporting into log analytics, then to get your feet wet and to actually get use out of the product, create an alert that lets you know that the machine is no longer heart beating and there's instructions on how to do that. Isn't the heartbeat like every five minutes or so? It's every one minute. Oh, every one minute, okay. Your Azure log analytics. Oh, okay, okay. That makes sense. Great. And then the last section I think before the knowledge check is called begin using Azure services and it's got an item there on tags, which is very, again, is a very common and good use of the solution is that you can apply tags to your Azure Arc servers to say, application, exchange, cost management, HR marketing. Yeah, go to town on the labels and again, that's another early effective use of the Azure Arc agent at scale is take advantage of the ability to tag your Azure Arc servers to then manage them together. And then if you're familiar with Azure tags, once you've applied a tag to a resource, you can click on the tag and pivot to a list of all the resources with that tag. And so in just like two clicks, you can have a tailored view of all of the application servers or all the servers in Asia or all of the servers managed by a contractor, you know, apply tags for all of those scenarios and you can rapidly create views that shift between your Azure Arc servers in that manner. Yeah, tagging is really important. And yeah, it kind of helps you create that like CMDB that no one ever gets to build but at least you can start with tagging. So we really did cover everything in the module, Amy. Yeah, and it's great. I mean, even with the hiccups, you know, I hope everyone got something out of this and I learned a lot just going through this again, you know, so I do wanna get to the knowledge check so people can collaborate with us and see. So we already said apply tags to help organize. You can use logs or log analytics workspace to collect data to help you do your update management. Azure policy for governance. Let's see, if there's anything else. No, I think the key takeaways for this lesson was to know how to create that service principle, you know, and then how to take that at scale script and put that service principle information in there. That's really the biggie. And then once you've done that, now use it. Right. Deploy Defender for Cloud. Deploy Automation. Use, you know, apply tags, you know, and if you understand that those are takeaways for you, you know, we've done our job. All right. And I believe you can put in your answers as well at aka.mspoll, I don't, yeah, here we go. So if you wanna join along and play along and get some XP points, you can vote your decision at HTTPS aka.mspolls or scan the QR code. So what do you think, John? Which of the following services can you not use with Azure Arc-enabled servers? Governance through Azure Policy and Guest Config. We know it can do that. Yeah. Security through Microsoft Defender for Cloud and Sentinel. Oh, we know it can do that. Right. Observability through Azure Monitor and Log Analytics. Guys, we talked about all three of these things. But D, deploy configuration using GitOps. Isn't that more of a kubernetes? Yeah, frowny face. We didn't even talk about that today. Right. Nice. Okay. We'll let people get their votes in. Let's see. I'm gonna click. Oh, let's see if anyone's joining us here. I've got two votes. Yep, D. So I have a feeling that they are correct. Let's see. Click back on my slide. Good job. Go team. I think we get points for that. All right. Next question. Again, please participate. Which of the following actions does the Azure Connect a machine onboarding identity? And John went over this really well. What does it have permission to perform? Can it delete servers that are registered? Can it create new Azure Arc-enabled servers in Azure? Manage VM extensions for Azure Arc-enabled servers or read servers outside of Azure Arc-enabled servers within the resource group. That makes no sense whatsoever. The Azure Connected Machine onboarding permission can do one thing, one thing. One thing only. What do we think team? Are we thinking B? It looks like we're thinking B. Good job. I wish we had like fireworks or music. Yay. Create new Azure Arc-enabled servers. These are so easy. Hopefully number three will challenge us. All right. Which of the following cannot be used to automate deployment of the Connected Machine agent to multiple machines? A, Azure Policy. B, Group Policy. C, System Center Configuration Manager. Or D, Service Principle. Think closely. Sometimes they like to get tricky. Azure Policy, Group Policy. So it cannot be used. We know that Config Manager and Group Policy are two of them because we saw that page. So it's either Azure Policy or Service Principle. Right. Because I would think it, you can't use Azure Policy till it's onboarded, right? I mean. I think that's it. I think that's it. It's a chicken before the egg question. Right. And the outlier is Azure Policy because until, well, actually, let's suspense. I don't want to give the answer. Let's see. Azure Policy. Good job, everyone. Yeah, until the machine is in Azure, until it has an Azure Arc object, Policy can't see it. Right. It can't talk to it. That's how we ruled that one out. Right. Fantastic. Yeah, good job. So we understand Arc's built-in security functions. You got Microsoft Defender, Sentinel, RBAC, and Policy. We showed, well, attempted showing different ways of deploying. But you can definitely go through the learn module to try it out yourself. It will work, I promise, mostly. And then applying best practices, like we said, for governance or the tagging. Most companies have best practices or a governance model that they want you to follow. So we enable you to do that with Azure Arc as well. We would like to introduce a module after this, but if you want to learn more, again, you can go to this URL or scan that QR code and go along on yourself and play our video along with you to have someone to talk to. The next one, oh, okay, this is still us. So again, thanks for joining. You can complete everything we did through the learn module. You get XP. If you do the whole module, you can eventually get badges and stuff, show off to your coworkers. Amy, I got a $5 Starbucks gift certificate. You actually got something? Yes. So you just got cool badges. No, I never paid attention to it for a long time, but then finally I clicked on the thing and it's like I had so many little points that I was able to get a reward. That's great. I want a $5 card. It took a long time. It took a long time to get enough points for that. I would say in closing, Azure Arc at scale is something that everyone using the Microsoft stack, particularly right now, the Microsoft stack is hot for security. It's for connecting to Microsoft Sentinel, for connecting for Defender for Cloud. That is a huge market and very successful and popular and valuable. And so everyone that's currently using that model is going to have to start using and participating in Azure Arc because in 2024, we haven't talked about this, but in 2024, the method of connecting to Log Analytics using only the Log Analytics agent is going to be superseded by the Arc method. So everyone has about two years to start using Arc in order to connect their servers to Sentinel and Defender for Cloud and Azure Monitor. So it's something everyone needs to get smart on and I'd encourage you to start sooner rather than later. I think once you convert to using Arc and you're freed from having to manage the individual agents, you're going to go, this is already saving me time and labor or so. And you're future-proofing yourself for beyond 2024. Well, that's always nice too. And then, yes, we're not the only part of this series. There's more coming up for you. So integrate Azure Arc and Azure Stack HCI, May 5th, 1030 to 12, Central Europe time. So you can continue learning on this Azure Hybrid Cloud Study Hall. It's been a lot of fun with joining you, John, during this journey. I'm glad, thanks for everyone who came in and gave us questions and helped us troubleshoot even. So thanks so much for joining and don't miss the next in the series. Thank you, Amy. Thank you all for coming. It was great. Say bye.