Azure Arc Notes

dingding 好物分享

Azure Arc simplifies governance and management by delivering a consistent multicloud and on-premises management platform.

Azure Arc provides a centralized, unified way to:

  • Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
  • Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
  • Use familiar Azure services and management capabilities, regardless of where your resources live.
  • Continue using traditional ITOps while introducing DevOps practices to support new cloud native patterns in your environment.
  • Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters and cluster extensions.

Diagram showing the Azure Arc management control plane.

 

Service Principle

Creae a new Azure Arc service principle:

You  can create a long client secret period using cutom option.

You wont be able to find it from the resource group. 

It will be found from Enterprise application in Entra ID and can be searched using service principle name or id.

It also has a record in Entra ID - App registrations - All applications.

Search it and the application will shows there too.
You can change secret from this application you found from app registration: 

Manully install azure arc module:

Not necessary

Install-Module -Name Az.ConnectedMachine
If you got azcmagent is not recognized error, run following two commands:
  •     Invoke-WebRequest -UseBasicParsing -Uri "
    https://gbl.his.arc.azure.com/azcmagent-windows

    " -TimeoutSec 30 -OutFile "$env:TEMP/install_windows_

    azcmagent.ps

    1";

  •     & "$env:TEMP/install_windows_
    azcmagent.ps

    1";

wget https://

gbl.his.arc.azure.com

/azcmagent/latest/AzureConnectedMachineAgent.msi

Azure Arc - Onboarding On-Prem Machine

Add on-prem machine into Azure Arc:

Add a server with Azure Arc

Download or Copy / Paste the code into Linux or Windows machine to run. 

It will download the installation package, then install the downloaded hybrid agent, eventually run the connect command to connect to ARC portal.


try {
    $env:SUBSCRIPTION_ID = "d9fzzzz-zzz-zz-zzzz-zzzzzb9";
    $env:RESOURCE_GROUP = "RG-SERVERS";
    $env:TENANT_ID = "adfd-dfdfd-dfdfd-dfdfd-dfdfdf";
    $env:LOCATION = "eastus";
    $env:AUTH_TYPE = "token";
    $env:CORRELATION_ID = "yyy980-dfd-ad--fdsafd-fd-fdf-dfdfd";
    $env:CLOUD = "AzureCloud";
    
    [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;
    # Download the installation package
    Invoke-WebRequest -UseBasicParsing -Uri "

https://aka.ms/azcmagent-windows

" -TimeoutSec 30 -OutFile "$env:TEMP/install_windows_

azcmagent.ps

1";
    # Install the hybrid agent
    & "$env:TEMP/install_windows_

azcmagent.ps

1";
    if ($LASTEXITCODE -ne 0) { exit 1; }
    # Run connect command
    & "$env:ProgramW6432/AzureConnectedMachineAgent/azcmagent.exe" connect --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";
}
catch {
    $logBody = @{subscriptionId="$env:SUBSCRIPTION_ID";resourceGroup="$env:RESOURCE_GROUP";tenantId="$env:TENANT_ID";location="$env:LOCATION";correlationId="$env:CORRELATION_ID";authType="$env:AUTH_TYPE";operation="onboarding";messageType=$_.FullyQualifiedErrorId;message="$_";};
    Invoke-WebRequest -UseBasicParsing -Uri "

https://gbl.his.arc.azure.com/log

" -Method "PUT" -Body ($logBody | ConvertTo-Json) | out-null;
    Write-Host  -ForegroundColor red $_.Exception;
}


Install Extenstion (AMA)

Edit Windows Security Events via AMA connector, add Data Collection Rule for your resources:

Manual Update Azure Arc Agent:

  1. Sign in to the computer with an account that has administrative rights.
  2. Download the latest agent installer from https://
    aka.ms

    /AzureConnectedMachineAgent

  3. Run AzureConnectedMachineAgent.msi to start the Setup Wizard.

# Alternative way via CLI

  • msiexec.exe /i AzureConnectedMachineAgent.msi /qn /l*v "C:/Support/Logs/azcmagentupgradesetup.log"
After installed, following command can do offboarding
azcmagent disconnect --service-principal-id 0c11111-90e6-4803-ae4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO

Following command can do onboarding.

azcmagent connect --service-principal-id 0c11111-90a6-4803-aa4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO --tenant-id 7911111-5cac-4357-aa96-49b1111160a --subscription-id a511111-e4e7-41f0-b115-94fa1111158 --resource-group "RG-ARC-PROD01" --location "eastus"

Offboard Machine from Azure Arc

There are quite a few components need to be removed beside ARC agent. ( Azure Connected Machine Agent)
  1. Run offboarded script to offboard from MDE
  2. Uninstall all agents

  4. Uninstall Azure Connected Machine Agent

4. Run Powershell script to revoke MDE license

Following command can do onboarding.

azcmagent connect --service-principal-id 0c11111-90a6-4803-aa4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO --tenant-id 7911111-5cac-4357-aa96-49b1111160a --subscription-id a511111-e4e7-41f0-b115-94fa1111158 --resource-group "RG-ARC-PROD01" --location "eastus"

Following command can do offboarding:

azcmagent disconnect --service-principal-id 0c11111-90e6-4803-ae4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO

azcmagent connect / disconnect

Another use of the azcmagent tool is to remove a server and then to connect it again, even if the Azure Arc Connected Machine resource has been deleted from Azure. This does not remove or reinstall the agent and its services on the virtual machine. Both parameters do require you to provide valid credentials, in the way the disconnect method does.

azcmagent disconnect --service-principal-id 0c11111-90e6-4803-ae4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO
azcmagent connect --service-principal-id 0c11111-90a6-4803-aa4e-57d319e111f --service-principal-secret ZO11111JWX111107Z1kthm-ZdhO --tenant-id 7911111-5cac-4357-aa96-49b1111160a --subscription-id a511111-e4e7-41f0-b115-94fa1111158 --resource-group "RG-ARC-PROD01" --location "eastus"

Note: If you leave out the service principal ID and secret components, Windows will give you the interactive browser login experience to provide authentication credentials. Learn more about the authentication options.

This disconnect and connect method is also recommended for machines that have not sent a heartbeat signal to Azure in more than 45 days, after which they will automatically be deregistered.

 Commands:

azcmagent disconnect --service-principal-id <serviceprincipalAppID> --service-principal-secret <serviceprincipalPassword>
azcmagent connect --service-principal-id <serviceprincipalAppID> --service-principal-secret <serviceprincipalPassword> --tenant-id <tenantID>
 --subscription-id <subscriptionID> --resource-group <ResourceGroupName> --location <resourceLocation>

 

Reference

  • https://blog.51sec.org/2024/04/azure-sentinel-onboarding-log-sources.html
https://blog.51sec.org

版权声明:
作者:dingding
链接:https://www.techfm.club/p/218166.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>