Azure Automanage (1yr later)

Azure VM health sprawl

Azure Automanage went some way since its initial announcement on Microsoft Ignite (October 2020) as a Public Preview (still is). I did cover the topic in two previous articles – My 2-cents: Azure Automanage and Azure Automanage (The Fallout).

Within the last year, some things changed, some are still the same. Let’s review what’s going on within the service itself.

The packaged services come with a price. Make sure you understand potential costs that might incur by enabling this packaged services.

Overview

This is a service that enables and, in that manner, simplifies the process of discovery, onboard, and configuration of certain number of Azure services that target Virtual Machines. These packaged services are “best practices” type of services in Azure. They help customers enhance reliability, security, and management of Virtual Machines.

There are certain prerequisites to consider (same and/or updated since initial release), prior to trying to enable Azure Automanage. That would be:

  • Support for Windows Server, and Linux distributions (new)
  • Supported regions list has expanded (initially was only 5 regions, now its 15 regions)
  • Updated permissions (RBAC) depending whether its first time you enable it, or its already enabled on other machines
  • Still no support for Sandbox subscriptions (i.e. Microsoft Learn)
  • Still no support Windows 10/11

Supported regions include – West Europe, North Europe, Central US, East US, East US 2, West US, West US 2, Canada Central, West Central US, South Central US, Japan East, UK South, AU East, AU Southeast, Southeast Asia. This also means that any data processes/stored will remain within the region.

As far as the role-based access control (RBAC) model, if you enable it for the first time, then the user must have one of the following:

  • Owner role on the subscription(s)
  • Contributor and User access Administrator on the subscription(s)

In case you have already enabled it, then on the resource group scope (where the virtual machines are), you need to assign the user Contributor role. You should be aware that the service will automatically grant Contributor permission the Automanage API App id: d828acde-4b48-47f5-a6e8-52460104a052.

Packaged Services

Since its initial release, the number of services has expanded. Which is a good thing.

Azure Automanage participating services

Since there are two different sets of operating systems supported, the list of services is slightly different.

In case of Windows Server, we are talking of 11, and for Linux distributions there are 9 Azure services. In either case, on-boarding will be automatic. This is based on Automanage Machine Best Practices configuration profile. If you would like to learn more, check Cloud Adoption Framework section on Azure Server Management.

Supported Windows Server editions are 2012/R2, 2016, 2019, 2022 and 2022 Azure edition. For the Linux distributions and version supported are CentOS 7.3+/8, RHEL 7.4+/8, Ubuntu 16.04/18.04 and SLES 12 (SP3-SP5 only).

Participating services table

The table can be downloaded and it contains usable links inside. Click on the link or button bellow.

On-boarding Virtual Machines in Automanage

The process of on-boarding, trough the Azure Portal, is still simple and straightforward. Check out this article for more information.

You can also use built-in Azure Policy to enable Azure Automanage at a scale. Eligible virtual machines, that fall within policy scope, are on-boarded based on DeployIfNotExists flag. Check out this article for more information.

Azure Automanage policies

In case you will be using the portal, You will need three pieces of information, to onboard a virtual machine for the first-time:

  1. Selection of machines (eligible ones) for on-boarding
  2. Configuration Profile (one of the three, with Default preference set to Production)
  3. Automation account (default setting is to create one)
Enable automanage with Production configuration profile

You can select any machine in the list, but after the validation checks the service will flag them as conformant or not. In this case, the jumphostvm1 is Windows 10 machine, so it’s reporting an Error. The other one, linuxbox2, is with supported operating system.

On-boarding process preview (based on status)

When you click on the status message, the service will display information why the on-boarding failed.

Virtual machine on-boarding error details

Detected, unsupported operating system, is Windows 10.

Windows Server Azure Edition support

This is one of the new features of Azure Automanage for 2022 Azure editions (GUI and Core). Supported capabilities are:

  • Hotpatch (Preview) – ability to apply security updates without reboot. (more info)
  • SMB over QUIC – ability to securely connect mobile users, and branches to edge servers over un-trusted networks (uses HTTP/3). (more info)
  • Extended network for Azure – extend on-premises subnets to Azue subnets. (more info)

For more information, check out the following article.

Off-boarding Virtual Machines in Automanage

Disabling automanagement of a virtual machine results in the following behavior:

  • There will be no changes virtual machine’s configuration and the on-boarded services.
  • Existing service charges will continue to incur.
  • Any Automanage actions immediately will stop.
Off-board a virtual machine

In other words, once you initiate process, the machine will be “evicted”. After that, you need to off board each enabled service individually, to avoid further charges.

Off-boarding confirmation dialog options

Conclusion

I stand by my initial conclusion – this service has potential. Kudos to extending the number of packaged services. They did some interface tweaks, as well as renaming on some of the Policies. Adding support for Linux and integration with Azure Arc is more than welcome, although still some features are missing.

It would be great, if during off-boarding, you get a full list of services enabled for the virtual machines. This will help the process of disabling them and perform cleanup.

For additional information refer to the following article on Microsoft Docs.

About Dimitar Grozdanov 36 Articles
Engineer. 25+ years “in the field”. Cloud Solution Architect. Cloud Secuirty MVP. Trainer.Co-founder/Supporter of Tech Communities. Speaker. Blogger. Parent. Passionate about craft beer and hanging out with family and friends.

Be the first to comment

Leave a Reply

Your email address will not be published.


*