 Hi, my name is Thomas Smauer. I'm a Cloud advocate at Microsoft, and I'm sitting here with Jane from the Azure Management Team to talk about hybrid server management. Yeah. Hi. I'm a program manager in Azure. Hi. So I speak a lot with customers which are using the Cloud for their compute resources. But most of them or a lot of them also have servers running in their private data centers, in their branch offices, or they even have other parts in the organization which they use another Cloud provider or another service providers. One of the main challenges with all these servers they have is basically keeping control of all these servers wherever they are running, to make sure that they are secure, that they're patched, that they have the compliance. I heard that the Azure team and especially you are working on something which helps with that. Yeah. Absolutely. I love to talk about it. It's actually echoing what you just mentioned, it is indeed a huge challenge. So I talk to a lot of customers as well, especially they need to manage these very hybrid environment server all over the place with application team trying to just go out, get all the resource they need to. It doesn't matter which Cloud they just go in and deploy things there. The IT on the other hand is trying to understand, oh my gosh, where are all the things? Where are all the data? What happens if something got breached? Especially now you see the news all over the place. So this is really something Azure has always been thinking about, and especially services today that already managing on-prem servers, but now with this service, we're really taking it to the next step to integrate those servers more natively into Azure. Okay. That sounds fantastic. So when you talk about integrating these servers into Azure, what do you mean by that? Yeah. I'd love to show you a picture of it. Perfect. Thank you. Here is how services are managing these environment. So these services actually all manage on-prem servers today. By the way, I'm calling it on-prem server, but it's really doesn't matter where they are. They can be on-prem in data centers, private data centers, or in other hosted Cloud. But as you can see, all these servers managing the Azure virtual machines through the something called Azure Resource Manager, short for ARM, and where on the on-prem servers, they really need to figure out a way to get their code deployed onto those on-prem servers individually. So as you can see, there is some disparity between the two panel. This is really what I mean by natively integrated into ARM. Now they get projected as an ARM resource into Azure. The benefit will be huge. As you can see, a lot of investment went into ARM like identity, like RBAC, like policies. Most importantly, a lot of customers really care about compliance, and also just regular management like tag them, show what are my servers are all in production. Those kind of simple things are all capable through ARM. So now I have once projected servers into ARM, I get all these benefit. In addition, all the services now can be deployed onto Azure as well as on-prem in the same fashion. So as you can see here, I labeled out a very important component called guest agent. The purpose of this agent is to manage the life cycle of these extensions, and we're following the same model so that now all these extensions can be applied to on-prem servers as well. So that's great. So our servers show up as Azure resources. They show up in the portal and also in the Azure Resource Manager, and I can basically treat them as machines like I used to do with Azure Virtual Machines, right? Yes. From a management perspective, that is our central goal. We wanted to all these solutions to manage these servers the same way for Azure as well as for on-prem, and also they get the same ARM benefit. Okay. That's awesome. So I want to now use that. So can you show me how we onboard these servers to Azure? Absolutely. Let me show you a demo. This is a page that we built to show all the on-prem servers that has been onboarded to Azure. Essentially, to onboard the customer need to run a script on the server and to help to build that script, we actually build a flow in Azure to generate that script. So this is the option that they can click to generate the script, but at the same time, we also recognize it's a challenge for customers to onboard at scale if they have to connect to every single server individually to run these scripts. So we're also trying to understand what are some common on-prem server management applications so we can integrate to help customers to onboard those machines at scale. For example, here, if the server is already managed by the Azure Update Service, we build actually the script or the run books to actually deploy to onboard those machines onto Azure without actually customers touching all those machines. But in the future, we're also working with, for example, System Center Configuration Manager, and they also integrating the onboarding experience, and in addition to Windows Admin Center, so we just kind of keep on expanding on how customers can onboard to Azure in a least-effort way. But in this case, let me show you how to generate the script. So as you can see, these are Azure resources, so they follow the same hierarchy as in subscriptions and resource group. So now you can pick which subscription and resource group they wanted to go. Here, the region indicates that which Azure region is running these service managing these on-prem resources. So you can see from like compliance or regulatory point perspective, you know where the metadata is stored in Azure. Physical location is new, specifically for the on-prem servers. This allows customer to tag the servers or specifically indicate which data center they are in. So if there's something, this is really about ease of management. Okay. That's pretty cool. So customers could not just add a name over the data centers. So they could even like, for example, also add a room of the location or even the rack name or the rack number for their server? Yeah, absolutely. So this is really for the customer to easily identify where that resource is, if something happens to that server, they can go if they need to physically access, they know exactly where they need to be. Here, we also allow customer to choose the operating systems, as I didn't really specifically spell it out, but as always, in Azure, we are trying to embrace Windows as well as Linux. Same for here that we build two packages for agents to onboard either Windows Server or Linux Server. I understand a lot of customers for on-prem, especially they don't want to expose their servers to the Internet directly, and they put it behind a proxy server. So here in this case, our agent does need to connect to the Azure service. So if these servers are not connected to the Azure directly, they can configure the proxy server here, and then the agent will be able to communicate through the proxy server. This is just Azure resource capability, so they can tag the servers to indicate maybe who owns them, or whether they are a part of a team. Yeah. So this also means this is like with other Azure resources, right? So for example, in my environment, I tag resources based on production, development environment, demo environments, and so on, so they can use the same tagging for their basically on-prem service. Yeah, exactly. You got that. In the end here, we generate the script. So now you can take a copy of the script and run it on the target server. Let me show you exactly the script content. So the first is really three steps. Once you download the package, but if you actually already downloaded and put it on a file share, you can just change that to copy it off from the file share. The second command is to install that package. The last one is the important one here to which we'll actually doing the onboarding. This tool will actually create the ARM resource and then link back to the agent. So that at the end of the onboarding process, you will actually see these resources presenting that physical server in the Azure portal. Oh, that's awesome. So we make it super easy basically for customers to onboard these servers by basically creating them the script they need. Obviously, I think they can also run these scripts against multiples of servers if they're onboard like not just one or two servers, but maybe hundreds of servers. Oh, yeah, absolutely. Okay. That's great. So now I have my server in the portal and I can see that and manage it using the Azure Resource Manager. Which services can I actually use now? Yeah. Let me show you that. So if you click on one of the resource, as you can see here, we really want to follow the Azure Virtual Machine model. So you can see the list of capabilities and it's eventually as we go move forward, we are going to expand on these management capabilities. Today, we are enabling two specific services. One is we can integrate it with log analytics, so that you can actually get the logs added to the resource ID and you can query those logs in one central place. So let me show you. If I click on logs, I will be able to get all the logs relevant to the server. Without this, what if customer trying to access a log for a server, they essentially need to go to the server, figure out which workspace ID it connects to, and then come to the portal, find that workspace, and then you can filter based on the computer name. Now with this integration, you can simply just click here and then get all the logs belong to the same server. Oh, that's fantastic. So this also helps me like, I see a lot of customers having the different organization parts and some of them are just really application focused. So I cannot just give access to this specific team to a specific set of servers, and they can just access the logs from for these servers. Yeah, that's actually a great benefit to you that mentioned there is in March, the monitoring team has released this new capability called a resource centric RBAC access for the logs, and they made it available for Azure VMs. Now with the hybrid service, now you can also get it for on-prem servers. That's awesome. So you also mentioned policies. Yeah. So Azure policy is the place where customers can define their compliance and can also view their compliance status. There's this particular category of policies called guest configuration policies. You can think of guest configuration policies almost like group policies, but for servers not domain joined. So there's a long list of the guest configuration policies. We made 18 built-in policies today, so you can actually deploy them right out of the box. But also if you have a requirement that not built-in, you can actually create those custom policies and deploy them into unique environment. With the guest configuration policies, it actually works through ARM for the Azure VMs. Now with the hybrid, they can also be monitoring and governing the on-prem servers. So as you can see, I deployed some of the guest configuration policies and in one view, I can see all these non-compliant status. If I drill down to I notice the password policy, I have a bunch of non-compliant services. So let me come here, drill down, then I can see all the servers that not in compliant. Let's see, you can see which resource group they belong to, so you can get an idea what they are doing. But also here importantly is that they cover these are Azure virtual machines and these are on-prem servers. So in one view, you get a full picture of all the servers that not in compliant. Wow, that's fantastic. So I see all my servers, doesn't matter where they're running, if they're running in Azure, if they're running on-prem in my data centers, in my branch offices, I can see them at one single view and I can manage them from Azure. Yeah, that's our purpose is having Azure to be the one central place and we want to provide the consistent experience. So that's fantastic. So if I'm a customer today, how do I get my hands on this? Yeah, so we are really getting the public preview now. So if you follow the link on the screen, you will be able to see our documentation and the process on how to enroll with the service. Okay, that's fantastic. And what about the cost for this? Oh yeah, that's a great point. Get a lot of questions on how much would I pay for it and the good news or great news is free. That means that you don't actually pay to onboard your machines onto Azure and you only will pay for the solutions that you're going to deploy onto those servers. Oh, that's fantastic news. So thank you very much, Jane. Thank you for being here and showing us this hybrid management capabilities. Yeah, thank you.