![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\")
When Microsoft began adopting cloud server technology internally in 2014, it operated some 60,000 on-premises servers and 2,000 line-of-business applications. These assets, normally managed by the team or individual that purchased or built them, were vital to company operations.<\/p>\n
Now Microsoft Digital is running the majority of the company\u2019s servers, internal apps, and business processes on Microsoft Azure in the cloud.<\/p>\n
That move significantly reduced the volume of servers needed on site and made it easier to track the costs associated with running each service. It also helped IT administrators and developers apply standard risk-management policies and other best practices for network and data security.<\/p>\n
But in some scenarios, Microsoft teams still use physical servers to fulfill specific needs.<\/p>\n
Why is on-premises hardware still needed?<\/p>\n
\u201cSometimes it\u2019s the kind of app a team is using,\u201d says Dana Baxter, a principal service engineer in Microsoft Digital\u2019s Manageability division. \u201cThey might not have the infrastructure to move it to the cloud. There might be dependencies on systems that are not yet migrated.\u201d<\/p>\n
If a service is not going to be used for the long term, it is often not worth the effort of decommissioning, redesigning, and redeploying it. A handful of Microsoft groups also maintain on-premises servers because they require extremely high-speed direct internet connections.<\/p>\n
At Microsoft, the Manageability Platforms team uses Microsoft System Center Configuration Manager (SCCM) for on-premises server management. In alignment with earlier IT design principles, SCCM covers only Windows servers, specifically those joined to a domain and assigned to the correct organizational unit (OU).<\/p>\n
As Microsoft Digital began using more Infrastructure as a Service (IaaS) features native to Azure, a gap grew between the tools used to manage on-premises infrastructure and those used to manage IaaS. With some 3,000 on-premises servers still running within the Microsoft network infrastructure as of early 2019, Baxter saw a significant opportunity to improve the security, cost accounting, and manageability of these computing assets.<\/p>\n
Microsoft customers face similar issues.<\/p>\n
\u201cSometimes it doesn\u2019t make sense to lift and shift everything immediately,\u201d says Jian Yan, principal program manager for Azure Arc for servers. \u201cIf the hardware is paid for and it\u2019s not at end-of-life, then it\u2019s an investment they\u2019ve already made.\u201d<\/p>\n
Baxter wanted Microsoft IT administrators to be able to manage the servers and virtual machines (VMs) with the same ease as an Azure dashboard. Could there be a way to connect these assets to Azure?<\/p>\n
\u201cAbout a year ago, the manageability team started working with the Azure product group on a vision for how we could replicate the functionality of SCCM using Azure features,\u201d Baxter says.<\/p>\n
The cross-group team was especially interested in supporting software deployment and collecting data for configuration settings across the organization. Another goal was to improve anti-malware measures for Microsoft Digital\u2019s entire hybrid environment with a unified set of Azure features.<\/p>\n
The team immediately realized many issues could be prevented or overcome by including on-premises servers in the Azure management tools. They decided to develop Azure solutions to cover the multi-OS platform and hybrid environments rather than expand usage of SCCM capabilities.<\/p>\n
Enter Azure Arc, an extension of Azure Resources Manager, now in public preview. The service brings Azure features that are typically available only in the public cloud to private and on-premises workspaces, including those that are using non-Microsoft cloud services. It contains Azure Arc for server and Kubernetes management, and Azure data services.<\/p>\n
With Azure Arc, IT administrators can use the Azure Control Plane to collect and view system data from any environment (on-premises, Azure) or platform (Windows, Linux). When the assets are visible to Azure, it is much easier to apply standard security policies and gather relevant information from each with automated cloud services.<\/p>\n
Who is going to use Azure Arc on their servers?<\/p>\n
\u201cThere are many use cases for Azure Arc. It gives us an opportunity to streamline and reduce the tools we use to manage infrastructure,\u201d Baxter says. \u201cFor example, at the Azure Control Plane level, we now have a framework enabling enterprise IT security and governance admins to apply Azure policies at scale.\u201d<\/p>\n
For customers, Azure Arc for servers could help IT manage assets across more than one cloud provider. The service enables administration of non-Azure cloud servers alongside Azure assets.<\/p>\n
\u201cUsers are going to different clouds to acquire their data,\u201d Yan says. \u201cIt puts IT in a very difficult position. They need a way to consolidate all these different pieces and standardize across the organization.\u201d<\/p>\n
[<\/em>Learn more about Microsoft\u2019s cloud centric transformation<\/em><\/a>,\u00a0find out how the company adopted Azure monitor<\/em><\/a>,\u00a0and<\/em> discover what principles to keep in mind when implementing modern engineering<\/em><\/a>.]<\/em><\/p>\n Reports from early adopters<\/strong><\/p>\n Microsoft Digital is now in the process of deploying Azure Arc for servers at Microsoft, beginning with the Managed Workspaces team. The rollout has just started, with roughly 10 percent of formerly isolated Microsoft servers and VMs becoming visible to Azure within the past few weeks.<\/p>\n Now, all Microsoft teams can implement enterprise-wide governance programs like management groups and policies that protect the entire company.<\/p>\n The use of Azure services is strategically important for both Azure and Microsoft.<\/p>\n \u201cAzure Arc, Guest Configuration policy, Azure Policy, and Management Groups together allow seamless governance and management of on-premises and multi-cloud resources with a single control plane,\u201d Baxter says.<\/p>\n Heathcliff Anderson, a service engineer in the Managed Workspaces group, was one of the first to try out the tool.<\/p>\n \u201cWe started slowly by rolling out the agent on machines one by one. Azure has a nice prescriptive guide on the website on how to do that installation,\u201d Anderson says.<\/p>\n The team soon discovered that there was a point in the process of registering with Azure that required an IT admin to visit a website and manually enter a code. By using the Service Principal Name feature in Azure, Anderson was able to quickly develop a PowerShell script to complete this user action with automation.<\/p>\n \u201cAfter testing the script on one or two machines, we launched the job through SCCM, running the script against about 100 servers at first. It took about 10 minutes,\u201d Anderson says.<\/p>\n Today, the Managed Workspaces team has activated Azure Arc on more than 300 virtual and physical production servers and is running it with no issues. The servers now automatically receive and implement Azure Policies from the central governance teams in alignment with Azure IaaS systems.<\/p>\n Manasi Choudhari, a program manager in the Managed Workspaces group, is pleased with the benefits that the extension has delivered so far. The next step is to reduce the volume of manual IT administration for the Managed Workspace team.<\/p>\n \u201cWe hope to use the Azure extension for automation around deploying scripts that are needed for on-prem servers,\u201d Choudhari says \u201cIt is very early, but these are very good features for us to explore.\u201d<\/p>\n Other Microsoft teams also see the value of Azure Arc for servers.<\/p>\n \u201cTracking costs associated with on-prem servers has always been a difficult thing to do,\u201d says Jeromy Statia, a principal software engineer responsible for securing the Windows Build pipeline. \u201cWe want to understand our resources and how they contribute to our services cost. An Azure subscription owner is very clear and defined. We know the cost of a service and who to go to when the server is not acting appropriately.\u201d<\/p>\n Security policies are also easier to enforce with Azure Arc.<\/p>\n \u201cIn Azure, there\u2019s this managed service identity that makes an app developer\u2019s security management very easy,\u201d Statia says. \u201cIt solves some of the worst practices and encourages best practices instead.\u201d<\/p>\n The Managed Workspace team was able to provide specific product development input based on their experience so far with Azure Arc.<\/p>\n \u201cThe problem we’ve presented back to the product group,\u201d Baxter says, \u201cis right now, everyone has to download the package and connect it manually. How do we build this into the product so it’s set by default? How do we build the VM so it already has Arc Agent on it? We are asking the product team to make the agent more integrated.\u201d<\/p>\n What\u2019s next for Azure Arc for servers?<\/strong><\/p>\n Having completed their initial rollout, the Managed Workspace team is anticipating the release of new Azure Arc capabilities.<\/p>\n \u201cAs extensions become available, we\u2019ll run those and pilot those with the various groups,\u201d Anderson says. \u201cIf we have any kind of configuration management policy changes that go out, now all of our security policies can be managed from Azure.\u201d<\/p>\n Statia is especially looking forward to using Azure to support certificate auto-renewal. An Azure Key Vault Certificate Deployment extension (currently in Private Preview) keeps the certificate on any machine up to date.<\/p>\n \u201cThe reason I latched onto Arc Agent early was what I call the \u2018bootstrap credential problem,\u2019\u201d Statia says. \u201cInteracting with Azure always requires a pre-existing certificate. If you don\u2019t already have a certificate, you need another method to get it.\u201d<\/p>\n This could create a problem for users and require IT administrators to manually manage the certificates.<\/p>\n \u201cWith Azure,\u201d Statia says, \u201cI will no longer have to manage that credential for an on-premises server. We can use all the value-add of Azure in a standards-based way\u2014soon, without having to worry about storing certificates with personal information exchange (PFX) files, the password that is managing PFX, or the deployment of the PFX package.\u201d<\/p>\n In the future, the Azure product team plans to develop further inventory functionality for Azure Arc.<\/p>\n \u201cThe Manageability Platforms teams at Microsoft is creating an Azure-based Inventory solution, co-developed with the Azure product group, to replace our SCCM infrastructure,\u201d Baxter says. \u201cThis will give us greater coverage and increase the breadth of data points we are able to collect.\u201d<\/p>\n But this is just the beginning for Azure Arc.<\/p>\n \u201cThis is really an early stage of our journey,\u201d Baxter says. \u201cWe are looking at expanding Azure Arc capabilities to leverage Azure Policy more widely.\u201d<\/p>\n The team is also starting to support system configuration data collection across the entire Microsoft Digital environment for servers.<\/p>\n \u201cThe focus right now is around creating the foundation,\u201d Baxter says. \u201cWe want to manage all our servers from Azure, so we can use the same tools for enterprise security and governance programs regardless of the asset’s location or operating system.\u201d<\/p>\n Discover more about Azure Arc from the Microsoft Azure product group, including about About Azure Arc<\/a>, Azure Arc for servers<\/a>, and Azure\u2019s Cloud Adoption Framework<\/a>.<\/p>\n When Microsoft began adopting cloud server technology internally in 2014, it operated some 60,000 on-premises servers and 2,000 line-of-business applications. These assets, normally managed by the team or individual that purchased or built them, were vital to company operations. Now Microsoft Digital is running the majority of the company\u2019s servers, internal apps, and business processes […]<\/p>\n","protected":false},"author":79,"featured_media":5301,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[383],"coauthors":[400],"class_list":["post-5297","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-azure-networking","program-microsoft-digital-technical-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\n![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n