 So hello and welcome to episode 3 in our third season of Rock to the Cloud and what is now my second time of hosting this show? Let me start by once again to offer you a massive thanks Offer a massive thanks to you all for staying with us on this series as we see it every week We really do love spending this time with you to discuss all topics around Windows Server 2022 And actually as you're seeing more around our Microsoft hybrid solutions or hybrid cloud solutions As we're seeking to evolve this so in each episode of from rock to the cloud We're bringing some of the world's most foremost figures in Windows Server and indeed hybrid to help you get whatever you need or That you just want to know about it So per the usual if you have any questions about the episode make sure you pop them into the comments below We'd love to hear from you. So please put your comments in the section just down there so in today's episode We're gonna well, it's called manage from the cloud with Azure Arc And if you remember from last week's show if you tuned in we had Pierre Amen This week for the next 30 minutes. We're gonna be catching up with none other than Thomas Mora We'll also have some elements later that you guys can get involved with so again do stick around For the fun part of the show, but this is obviously gonna be the really interesting part of the show Where we will be bringing Thomas so Thomas, can you tell me what is your role at Microsoft? Welcome very much and thank you very much and Hi Jason. Yeah, my name is Thomas Smauer. I'm a senior program manager and chief evangelist for Azure Hybrid I recently joined that team in the engineering and I'm work like on end-to-end solutions when it comes to Azure Hybrid speaking mainly of like Azure Stack as the great CI as well as Azure Arc solutions Excellent, and I do believe you've been on the show before if I'm not mistaken Oh, yeah, I have the great honor to I think I lost already be part of it in the last two seasons and talking about Several things around Windows Server and especially Azure Hybrid. Yeah, absolutely and it's great to be back That's I'm glad to hear but obviously with the new house now, but clearly nowhere near as good as our predecessor Thomas And I'm sure he'll be watching once again just to validate that So look on the previous show as I mentioned, we had Pierre Roman And we did discuss Azure Arc and why companies should care about Microsoft when it comes to hybrid and multi-cloud Um, could you just please recap for us? You know your thoughts and provide your insight if that's okay Oh, absolutely. Um Yeah, there's a hybrid is obviously a very Important part like when it comes to hybrid. I think we have numbers that like 90 of customers Actually have a hybrid strategy and rely on a hybrid cloud solution so Think about like factories retail stores edge locations or just companies who want to run certain stuff In data sovereign solutions in their own data center or they need to have I get like they have latency or network constraints as well And so for us in Microsoft hybrid is obviously very important And I always quote Jason zanders, which is the or was the lead of all the engineering Teams in azure and he was basically saying hybrid hybrid Is going to be an end state for many of our customers and not just an in-between state And why I'm actually quoting this Is really because that shows how important hybrid for us is right and hybrid at microsoft It's not just a single product It's really a set of solutions products and services which enable our customers depending on what their needs are from our Azure stack portfolio with different solutions such as azure cop edge and especially azure stack hci When it comes to like bring those cloud inspired Components into the customer's data center and edge locations But then if you think about iot And other solutions as well But I think most importantly in the last couple of years, especially azure arc, right, which really helps In in many different cases With our customers and we usually do Um split azure arc in like two different categories, if you will the first category being Having that single control plane and come what we call Azure arc enabled infrastructure Which means we allow you to connect servers and kubernetes clusters to that control plane and manage them And then the second piece which we probably talk a little bit later today as well depending on if you have time I guess Is bringing We will we will make time right bringing Azure services Into the customer's data center So if a customer cannot use an Azure service in azure because of latency concerns They will want to have dependencies on the network connectivity data sovereignty challenge and so on They can run the Azure service in their data center. So that is pretty cool Indeed But look it'd be great if we can speak about sort of the unified control plane in more detail And how azure arc allows you to manage resources outside of azure that would be fantastic if you want to elaborate on that perhaps And maybe you could I believe you may have something to show us on this episode Absolutely. Absolutely. Yeah, that's why I'm here. No, um so Obviously when when we look at the the unified control plane when we see customers doing hybrid and especially also multicloud scenarios One thing they tell us is hey We need tools to manage secure and govern Things in all these different locations, right? And we don't want to have like a management tool for azure and a management tool for on-prem and the management tool for each of the other cloud providers That can make things very very difficult and obviously act complex So what we did is like we took the control plane we use like the azure resource manager We have in azure And we basically extended it to not just allow the management of azure resources, but also Basically take resources which are outside of the azure data centers Again, such as servers could beneath these clusters and so on And connect these to the azure control plane and making actually making them Become azure resources and they basically then behave like azure resources. So they are part They they basically are part of a resource group. They're part of a subscription We can use tagging. We can use robust access control and obviously all the management tools We can use usually for azure resources. We can now use For for arc enabled servers and Kubernetes clusters, for example So That is the concept of azure arc. Azure arc is really the bridge between these resources outside of azure and azure itself the control plane And I think as we touched as we touched on last week This really simplifies the overall process, right operationally And they did from a cost perspective as well when you're thinking about, you know, if you've got different disparate tools out there different infrastructure silos and so on and so forth having it all in one place is just really a phenomenal thing for customers to be able to You know leverage Oh, absolutely and and you're absolutely right and I mean I was I was speaking most about the operational and security governance stuff, right But it comes the same thing also for developers, right if you like Starting to deploy stuff in azure Or on kubernetes clusters on aks in azure You can use you want to use these practices And then when you deploy outside of azure um If you then you need to use different practices, there's a lot of effort going in right and and That that makes obviously adds a lot of complexity and cost to the whole operations um Scenario of a customer, but I think we should just instead of just Sitting here and then talking about it. Why don't we just have a lot of Awesome is this one you made earlier Yep, so here I'm in the azure portal, right and the go-to place basically When I want to deal with azure arc I go to Azure arc and that what then shows the what we call the azure arc center. So here you get all the stuff um Which is arc related, right? It also allows you to connect different stuff from from from your own premises locations Or other cloud providers and then also start to manage these and if you look at the middle here You can already see a couple of things I mentioned, right? So if you have for example here add your infrastructure um To the control plane or deploy azure services um To your locations wherever you want to run them and then Also interesting here on the left side. You can see We have some management stuff and I will talk about custom locations and the data control and so on a little bit later But interesting for us at the moment is this infrastructure part, right? The arc enabled infrastructure and you can see here We can just add a little bit of stuff here From speaking from servers, which can be linux or windows servers physical virtual running at a lot of cloud provider or in your own data center and the same thing for different kinds of kubernetes clusters SQL servers and newly also Azure stack hci as well as like we and we are vcenter systems So we get this vm life cycle management And so on but Let's dive into because I think the server part is really interesting for for many of us here um As you can see here if I click on this Uh, I get all the my servers. I already have connected and you can see here some of them show Connected some of them show offline some of them show expired and you can see here they show resource groups Subscriptions so they look like an azure resource and then I have tagging here For example, there's a data center tag and you can see here Uh, I have some of them my like home Data center underneath my desk if you will Uh, but then also some other cloud providers, right and all these systems basically Running here and could be connected to the azure control plane That's a lot of servers to have at home by the way, tom Yeah, well, I I have a huge infrastructure here and no, I'm just kidding. It's a very small But it's All right So let's have a look at one of these servers. So I have my wax server here Um, and if I click on this again First thing you notice it looks like an azure resource, right? If I will not tell you that this is like something which is outside of azure Um, you will probably think well, this is actually looks like ash And that is exactly what the arc what ash arc is supposed to do, right? So if you look at the middle of the screen here, you can see it is again I I repeating myself, but it's part of a resource group and a subscription It has an id and so on and it's actually connected to one of our data center locations in this sense western europe And then on the left side you get some additional information about this system So you can see here that this server Which operating system that server is running and you can also see That it's actually joined to a local domain controller However, that is not necessarily needed, right? They don't need to be domain joined They can be workgroup or different domains that it's really Um independent from from having domains the classic windows server domains And then you can see here I can use tags So I use some of them to actually do the do the location of the server, right? But then also for example a cost center tag as well Um, if I look on the left side, you can see here some cool things Which come with every azure resource basically And this is like the activity log so I can see who did what to that server So if someone goes out and does some modification and I'll show you what you can do actually In just a bit, but that will show up in the activity log And that is basically based on the role-based access control We can see here so I can now use the azure ad To create groups for admins, which then can access and manage that server. So what we have today is customers Going to have a look at Their their their On-premises systems and basically they take away all the administrative rights Maybe except for some breaking glass accounts But all the administrative tasks are done over azure arc So we have much more control when it comes to compliance and and so on to actually see Who did what on what system and you don't have to manage like local user accounts in that sense Um In terms of time, I also want to just quickly show a couple of things here So for example the security piece I can then enable Microsoft Defender for cloud And this will then give me recommendations for that server how to secure it And on the bottom you can see that luckily it shows nothing here But I would also get security alerts and so on directly from Microsoft Defender as I can have it for azure bms as well as Servers Running now outside of azure, right? I have a couple of other cool things Update management inventory and change tracking, but I want to show you One thing is azure policy guest configuration So what I can do is I or what a compliance administrator can do is assign for example azure policies to different Um resource groups or subscriptions or directly a server if you want to And then you can do things like for example auditing my servers for insecure password settings So for example, I have one assigned here and it goes out and it audits my server to see Hey, we have some recommendations here on what um secure password settings are and you can see I'm not complying with everything So me now as a server administrator. I can now go out and actually Have a look at these and fix these issues, right? The same thing for a compliance administrator Or if you're in charge of security You can go to the policy view in the azure portal and see like a centralized view of all your systems of all your servers now Running in azure, but also on premises or at other cloud providers Which is super powerful if you're in charge of compliance and for windows server admins Think about this as like group policies on steroids, right? Where you can actually define these policies to your servers But then also get that centralized view of reporting and so on. So that is pretty cool Yeah um Now I know chasing before the show we talked a little bit about this and um You were also very interested in like how what can we do with the kubernetes clusters, right? And so I showed you this about servers and how that works But what we can also have here is kubernetes clusters So you can see I already couple connected a couple of these and by the way What we do basically on on both sides of the aisles if it's servers or clusters We actually going to we basically to connect these servers We're deploying an agent on these and then that server has outgoing traffic to the azure control plane and manages everything So you don't need to like open any ports or something like that It's all encrypted. You can even have it or using it over a vpn or a express route connection if you wanted to That's what we call private link for example And so that is how we actually get these things in here and there can you can see here also added a couple of kubernetes clusters here So if I look at the kubernetes cluster, you can see here the same thing as I told you before It looks like an azure resource, right? Even though that kubernetes clusters runs outside of of azure what you can see here I can get for example the security recommendations You can see here that I did not have for example all the extensions installed on that cluster So that is definitely something I should do to get some more information You can do it. You can see I can do a couple of things which are Based on on this specific cluster Um, but then I also get for example the possibility to do monitoring such as the date on server Which I didn't show you because I want to show it here in for the kubernetes cluster You can see here that I can then actually on board for example A kubernetes cluster to azure monitoring and then I can see specific information here And so if I go back I also have a cluster. Let me quickly go back here Which is actually on boarded to this. I just need to find the right cluster here And then go to monitoring And if I on boarded that server you will see that I can now see What's going on on that cluster, right? This is now very specific view for kubernetes clusters So you can see here my nodes cpu memory utilization. You can see that there's not much going on I get also some additional reports. I can look at my nodes in that kubernetes cluster To get see. Hey is everything okay with my node pools here So they do they they're just fine, right? I can have a look at my controllers or also my containers here in general So you can actually go out and deep have a deep look and what is actually running here So there are there's some pretty cool stuff We can do here and again, we have the same for server just in a server view what makes sense there So to be clear then what if I don't have a kubernetes cluster? Is that kind of just a server scenario or How does that differentiate? So that's actually an excellent question, right? So we have Customers who already have different kinds of like kubernetes cluster because they do they want to do some app modernization They want to use these pass services. They want to build Cloud native apps using containers But then as you as you pointed out there are customers who probably don't have the experience Or with kubernetes or they don't have kubernetes clusters in their environment or they're thinking about they want to have something which They need less management like to do they want to have it more as a service So what we are offering today is aks like our azure kubernetes service Running on azure stack hci or even on windows server, right? So you get that like this awesome azure kubernetes service which you can run in azure So you get like all the management capabilities and then stuff like that. But instead of running that In azure, you can also run that on prem and then connect it Through azure arc to the control plane. So for example, so these servers these kubernetes clusters here They could potentially be aks clusters running on prem on azure stack hci or windows server and so You get this managed like this managed service of a kubernetes cluster Within your data center or edge location and it allows you to do some cool stuff when it comes to the app deployment Or monitoring as well. So we offer that like full stack solution if you will if you need that Can I also manage my infrastructure like azure stack hc mvm where so I can get the full life cycle management of vms? Yes, so absolutely great point As you can see here on the left side I'm not going to dive into this but you can see here we are and also go and manage our azure stack hci clusters or our vmware Infrastructure as well, right meaning that we can connect these using the azure resource bridge It's kind of like an appliance you deploy into your environment And that then connects to your either re-center or your azure stack hci cluster And then you can do like vm life cycle management. You can get monitoring so you can Deploy your vms. You can remove them. You can like resize them and all of that directly from the azure portal or like a cli you use or api because everything is managed through azure resource manager now You would probably say why do I want to do that, right? Because I have already a vcenter or azure stack hci has windows admin center So I can easily manage that on prem but think about a scenario where Where you for example have multiples of these cluster or different environments like a retail store, for example We have customers with like hundreds if not thousands of different retail store locations And they now need to manage all these now in the past that was obviously a pain because they needed to have VPN connections to all these infrastructures and then they did not have a singleized view They need to go out and manage these now With azure arc because they show up now everything shows up in the azure portal We can actually go out and Manage these from the portal and we don't need like it can do that like if i'm now an admin I can do that from starbucks or if i'm working from home I don't need to be like in the office right with all this hybrid work efforts going on I can securely manage all of my infrastructure Directly from azure and and I think that is super powerful The other powerful piece now is even if you don't have these location requirements Even if you don't have hundreds of locations and clusters and so on um One of the big advantages if you in this hybrid scenario where you have stuff in azure and stuff on prem You probably use infrastructure as code with biceps terraform Arm templates You have your dev ops pipelines and so on and you've run them against your cloud your azure environment now On prem I just pause there for a second. Thomas. Sorry just to be clear for the non-technical Arm templates and biceps. Is there any correlation there? Yes, so arms and biceps. No, no that was kind of a joke. I'm sorry, mate Maybe my bad bad humor, but there we go No, no, I I get the the reason is because I get a lot of questions around these, right? When we talk about arm and biceps, so Yeah, no, um, really you should like I recommend like everyone who gets started with infrastructure Go with bicep because it makes it way easier to write these things Arm templates are written in chasen and again chasen is not really A human friendly format. I think in person It's it's a better job like something which is more human readable, right? And so bicep is a great great thing to do But now You can use these and run these against the azure control plane, right? You can take these as a bicep templates for example run these against azure, but then that will deploy stuff In your local data center like how awesome is that? Absolutely So, um Talking of deploying then are you able to show me how you can deploy a web app on premises for example? Absolutely. I hope the question would come So let's dive into into the how that actually looks like, right? So I want to quickly show you what you actually need for deploying a web app That is what we call the azure arc enabled services And if I scroll down here on the left side, you can now see We offer a couple of different arc enabled services such as data services Which means azure sequel managed instances or postgres Or then our application services, which means web apps functions event grid api management and so on right, so What I do actually need to run these on prem, right? There must be something I need to do and absolutely so what you need to do is you need to obviously connect a kubernetes cluster Again, this can be this doesn't need to be aks on hashtag hci It would it's can be and it's a very good solution for that But even if you run open shift or some other kubernetes distributions Um, you can also connect these as I like I showed you before Now what you then can do is here on the top is what we call custom locations So you can create a custom location and you can see I created two already One is called other cloud providers here one and one the other one is called tom's data center zero one And I basically mapped these two as you can see here some kubernetes clusters One again running on prem the other one running another cloud provider So that is what I prepared right so I have now two custom locations and you will say well What does that mean? How can I now leverage these custom locations? And it's fairly simple If I go and want to deploy a new web app now as you want as you asked me to I just create a new web app. That's the same visit basically as I would have For if I would want to deploy a web app in asher, right? So I also need to select here a A subscription and the resource group and I could provide a name for that web app Can some do some additional configuration? But then the most important part here now is That when we go to the regions Usually what we see here is just the asher regions right all the asher regions which are available to you You have them listed here, but if I scroll to the top You can now see that also my custom locations show up Right, so that that is the pretty cool thing now that I can just select. Hey instead of deploying this To an asher region deploy this to my data center And then you can see here. There's some changes happening also in the URL of that web app, which we assigned by default to it So we can actually select that And change that and you can now deploy that web app directly on your community's cluster running on premises At another cloud provider or at your edge location, which I think is super powerful To do and again going back to the arm templates and to bicep templates and terraform Now the only thing you need to do is actually change the region to be a One of these custom locations instead of an asher region and you can actually use the same arm templates To deploy these services Fantastic, so if I could just recap on this thomas For kubernetes close string obviously that can be On a just like hci or on your web server. Sorry your windows server From a web app deploying perspective, they can be deployed both In the public cloud as as ordinary people are doing now, but also that could be extended out to on premises and with azure arc We can manage our overall infrastructure footprint both on premise obviously and clearly in the cloud And that gives us the ability to provide security alerts insights being able to leverage others your services ensuring compliance And leveraging your policies would that be a fair assumption of what we just discussed? Absolutely make it you made it very easy To like to basically summarize what I just showed One thing I would though mention is like one of the benefits now of this whole scenario of running these azure services on prem Right or allowing this this stuff to happen is obviously it's a cool thing to do But now think about like customers or cloud architects software developers Who need to modernize their applications? They basically need to make some decisions, especially if they're in a hybrid and multi cloud environment They would usually if they go to azure and they say well, we only use azure Then they would probably go and use past services server less containers everything like very modern on on azure now if the app The application now needs to run also on premises and also on other cloud providers In the past there were no azure services, right? Which you could run on premises or at other cloud providers. There was no such like not not a solution to do this So now with this We allow basically cloud architects and then software architects To build very modern applications based on azure pass And run them anywhere without any like restriction on locations You can basically run it and architected the way you want the app to be architected Um without like need to consideration on on like is it running locally or hybrid because In the past you would probably fall back to VMs, right? You would say well VMs run everywhere So that is the common ground we have now with enabling Azure pass services with Azure Arc We can now really leverage start leveraging that and really build modern solutions Fantastic. Thomas. That was absolutely fantastic. Appreciate it very much But now we're going to move on to the part of the show called the server acronym review like we always do Um, and you know, I think last time around we had two. I think we may have more this this week um Just another long confusing acronym that doesn't make any sense But you know, uh, the producers as I mentioned a I think it may be three today Um, and we're going to put ourselves on the spot Uh to see if we can guess what they are Um, we'd love you guys to pop your thoughts in the comment section below Please and tell us what you think about these acronyms, whether we're just being ridiculous or we could improve them somewhat Um, who knows the comments will prevail, but please producers. Let us know what we have So on to acronym number one avd Um, I'm going to have a guess at this one Azure virtual desktop I agree with you chasing on that one and the reason is why this was simple for me is because we just announced avd on azure stack hci, right? Um, so I wonderful the possibility to run azure like Um, basically virtual desktops not just in azure, but also run them on premises Um using azure stack hci Can you believe I got the first one right and you get it as well? So it's one one where There's there's no benefit to me here, but let's let's let's go on to number two. Please producers Dart Now do I see the point in this one? There is another little joke in there. Um I A terrible one at that by the way um I'm struggling actually darts I to be honest, I know what it is. Um But I just don't want to put me down again, right? I would I would need to check what the acronym means, but I think it's I think the d stands for diagnostic and the t for Um tool kit. I'm not 100% sure, but I I think automatic resolution No, huh Oh, it's tool set not tool kit. Okay, but that well at least not the first one Completely right and I would give me I I don't know Jason, but I I I deserve a half a point for this No, I think I'm going to give you a half a point for that Thomas. Yes, and I'm surprised we have and actually Normally those uh, those are taken out with their necromancy. Anyway, let's move on to our third and final acronym of the show Good lord So shall I try another joke? Let's make no bones about this the radius um Uh Again, do you know what this is going to go down really poorly isn't it in terms of my joke telling abilities, but um Crikey, I've no idea. I'll be honest with you radius um I didn't even know that it's an acronym. I thought it's a full name A full name for a bone. Yeah, exactly. Or maybe it's something to do with the arm template. There you go Yeah, no, I yeah, let's see No, not in a million years Remote authentication dial and user service to be honest it makes perfectly sense like it is it's like I remember like Back in my days When I left like I left one company was a last working day and I switched over to another company and on my last working day What they wanted from me is like, hey, you're going to set up a radius server Like that was like my last word. I was like why like why are you making me do this on my last day? But uh, um, but yeah, did you complete did you complete it in the last day was a simple jump for you or I don't think it was that hard. I mean at the end the harder part is if you need to then integrate something To that right you want to like for example, I think the scenario back then was they wanted to integrate their Wireless access points or some firewalls. I can't remember With active directory authentication, right? So they basically needed the radius to be kind of like that endpoint for these wireless access points to connect to and my job was basically just provide the radius server um, and that's it so I think I I think I mean because I left I don't know but um, uh, I think I was successful so I I'm sure you were so listen, thomas. Thank you so much today. Um, I just want to please add by the way the cap is looking magnificent I'm a A man who sports a very similar kind of attire When it's a little bit chillier for obvious reasons Um, but yeah, you're looking very cool today my friend. Um, thanks again. It's been absolutely insightful Really appreciate your input And thanks for you guys for tuning in uh into this Third episode of season three of rocks of the cloud Please keep an eye out right here on it top ops talk LinkedIn and youtube uh for the next episode and remember to drop your thoughts in the comments below It's been a pleasure. Thank you very much indeed. Look forward to the next one. Goodbye. Take care