Merge pull request #94350 from MicrosoftDocs/release-bobbytreed-azure-arc

Ignite Ship Room

Author: SyntaxC4

articles/azure-arc/index.yml

@@ -0,0 +1,35 @@
+### YamlMime:Landing
+title: Azure Arc
+summary: Azure Arc extends Azure Resource Manager capabilities to Linux and Windows servers, as well as Kubernetes clusters on any infrastructure across on-premises, multi-cloud, and edge. With Azure Arc, customers can also run Azure data services anywhere, realizing the benefits of cloud innovation, including always up-to-date data capabilities, deployment in seconds (rather than hours), and dynamic scalability on any infrastructure. Azure Arc for servers is currently in public preview.
+
+metadata:
+  title: Azure Arc for servers
+  description: Learn about how to manage on-premises machines in Azure
+  author: bobbytreed
+  manager: carmonm
+  ms.service: azure-arc
+  ms.topic: landing-page
+  ms.date: 11/04/2019
+  ms.author: robreed
+
+landingContent:
+  
+  - title: Azure Arc overview
+    linkLists:
+     - linkListType: overview
+       links:
+          - text: Learn more about Azure Arc
+            url: https://aka.ms/Azure-Arc-Info
+  
+  - title: Connect machines to Azure using Azure Arc for servers
+    linkLists: 
+      - linkListType: overview
+        links:
+          - text: What is Azure Arc for servers?
+            url: ./servers/overview.md 
+      - linkListType: quickstart
+        links:
+          - text: Connect machines to Azure using Azure Arc for servers - Portal
+            url: ./servers/quickstart-onboard-portal.md
+          - text: Connect machines to Azure using Azure Arc for servers - PowerShell
+            url: ./servers/quickstart-onboard-portal.md

articles/azure-arc/servers/azcmagent-reference.md

@@ -0,0 +1,219 @@
+---
+title: Azure Connected Machine Agent CLI interface
+description: Reference documentation for the Azure Connected Machine agent CLI
+author: bobbytreed
+manager: carmonm
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-servers
+ms.topic: reference
+ms.date: 11/04/2019
+ms.author: robreed
+---
+# Azure Connected Machine Agent CLI interface
+
+The `Azcmagent` (Azure Connected Machine Agent) tool is used to configure and troubleshoot a non-azure machines connection to Azure.
+
+The agent itself is a daemon process called `himdsd` on Linux, and a Windows Service called `himds` on Windows.
+
+In normal usage, `azcmagent connect` is used to establish a connection between this machine and Azure, and
+`azcmagent disconnect` if you decide you no longer want that connection. The other commands are for troubleshooting
+or other special cases.
+
+## Options
+
+```none
+  -h, --help      help for azcmagent
+  -v, --verbose   Increase logging verbosity to show all logs
+```
+
+## SEE ALSO
+
+* [azcmagent connect](#azcmagent-connect) - Connects this machine to Azure
+* [azcmagent disconnect](#azcmagent-disconnect) - Disconnects this machine from Azure
+* [azcmagent reconnect](#azcmagent-reconnect) - Reconnects this machine to Azure
+* [azcmagent show](#azcmagent-show) - Gets machine metadata and Agent status. This is primarily useful for troubleshooting.
+* [azcmagent version](#azcmagent-version) - Display the Hybrid Management Agent version
+
+## azcmagent connect
+
+Connects this machine to Azure
+
+### Synopsis
+
+Creates a resource in Azure representing this machine.
+
+This uses the authentication options provided to create a resource in Azure Resource Manager
+representing this machine. The resource is in the subscription and resource group requested,
+and data about the machine is stored in the Azure region specified by the location parameter.
+The default resource name is the hostname of this machine if not overridden.
+
+A certificate corresponding to the System-Assigned Identity of this machine is then downloaded
+and stored locally. Once this step completes the **Azure Connected Machine Metadata** Service and Guest
+Configuration Agent begin synchronizing with Azure cloud.
+
+Authentication options:
+
+* Access Token
+ `azcmagent connect --access-token <> --subscription-id <> --resource-group <> --location <>`
+* Service Principal ID and secret 
+ `azcmagent connect --service-principal-id <> --service-principal-secret <> --tenant-id <tenantid> --subscription-id <> --resource-group <> --location <>`
+* Device sign in (Interactive)
+ `azcmagent connect --tenant-id <> --subscription-id <> --resource-group <> --location <>`
+
+### Syntax
+
+```none
+azcmagent connect [flags]
+```
+
+### Options
+
+```none
+      --access-token string               Access token
+  -h, --help                              help for connect
+  -l, --location string                   Location of the resource [Required]
+      --physical-location string          Physical location of the resource
+  -g, --resource-group string             Name of the resource group. [Required]
+  -n, --resource-name string              Name of the resource. Defaults to Host Name
+  -i, --service-principal-id string       Service Principal Id
+  -p, --service-principal-secret string   Service Principal Secret
+  -s, --subscription-id string            Subscription Id [Required]
+  -t, --tags string                       Tags for resource
+      --tenant-id string                  Tenant Id
+```
+
+## azcmagent disconnect
+
+Disconnects this machine from Azure
+
+### Synopsis
+
+Deletes the resource in Azure that represents this server.
+
+This command uses the authentication options provided to remove the Azure Resource Manager
+resource representing this machine. After this point the **Azure Connected Machine Metadata Service**
+and Guest Configuration Agent will be disconnected. This command does not stop or remove
+the services: remove the package in order to do that.
+
+This command requires higher privileges than the "Azure Connected Machine Onboarding" role.
+
+Once a machine is disconnected, use `azcmagent connect`, not `azcmagent reconnect` if you want to create
+a new resource for it in Azure.
+
+Authentication Options:
+
+* Access Token
+ `azcmagent disconnect --access-token <>`
+* Service Principal ID and secret
+ `azcmagent disconnect --service-principal-id <> --service-principal-secret <> --tenant-id <tenantid>`
+* Interactive Device sign in
+ `azcmagent disconnect --tenant-id <>`
+
+### Syntax
+
+```none
+azcmagent disconnect [flags]
+```
+
+### Options
+
+```none
+      --access-token string               Access token
+  -h, --help                              help for disconnect
+  -r, --resource-group string             Name of the resource group
+  -n, --resource-name string              Name of the resource
+  -i, --service-principal-id string       Service Principal Id
+  -p, --service-principal-secret string   Service Principal Secret
+  -s, --subscription-id string            Subscription Id
+  -t, --tenant-id string                  Tenant Id
+```
+
+## azcmagent reconnect
+
+Reconnects this machine to Azure
+
+### Synopsis
+
+Reconnect machine with invalid credentials to Azure.
+
+If a machine already has a resource in Azure but is not able to authenticate to it, it can
+be reconnected using this command. This is possible if a machine was turned off long enough
+for its certificate to expire (at least 45 days).
+
+If a machine was disconnected with `azcmagent disconnect`, use `azcmagent connect` instead.
+
+This command uses the authentication options provided to retrieve new credentials corresponding
+to the Azure Resource Manager resource representing this machine.
+
+This command requires higher privileges than the **Azure Connected Machine Onboarding** role.
+
+Authentication Options
+
+* Access Token
+ `azcmagent reconnect --access-token <>`
+* Service Principal ID and secret
+ `azcmagent reconnect --service-principal-id <> --service-principal-secret <> --tenant-id <tenantid>`
+* Interactive Device sign in
+ `azcmagent reconnect --tenant-id <>`
+
+### Syntax
+
+```none
+azcmagent reconnect [flags]
+```
+
+### Options
+
+```none
+      --access-token string               Access token
+  -h, --help                              help for reconnect
+  -l, --location string                   Location of the resource
+  -g, --resource-group string             Name of the resource group.
+  -n, --resource-name string              Name of the resource. Defaults to Host Name
+  -i, --service-principal-id string       Service Principal Id
+  -p, --service-principal-secret string   Service Principal Secret
+  -s, --subscription-id string            Subscription Id
+      --tenant-id string                  tenant id
+```
+
+## azcmagent show
+
+Gets machine metadata and Agent status. This is primarily useful for troubleshooting.
+
+### Synopsis
+
+Gets machine metadata and Agent status. This is primarily useful for troubleshooting.
+
+
+### Syntax
+
+```
+azcmagent show [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for show
+```
+
+## azcmagent version
+
+Display the Hybrid Management Agent version
+
+### Synopsis
+
+Display the Hybrid Management Agent version
+
+### Syntax
+
+```none
+azcmagent version [flags]
+```
+
+### Options
+
+```none
+  -h, --help   help for version
+```

articles/azure-arc/servers/media/overview/arc-for-servers-onboarded-servers.png

@@ -0,0 +1,142 @@
+---
+title: Azure Arc for servers Overview
+description: Learn how to use Azure Arc for servers to automate the lifecycle of infrastructure and applications.
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-servers
+author: bobbytreed
+ms.author: robreed
+keywords: azure automation, DSC, powershell, desired state configuration, update management, change tracking, inventory, runbooks, python, graphical, hybrid
+ms.date: 11/04/2019
+ms.custom: mvc
+ms.topic: overview
+---
+
+# What is Azure Arc for servers
+
+Azure Arc for servers allows you to manage machines which are outside of Azure.
+When a non-Azure machine is connected to Azure, it becomes a **Connected Machine** and is treated as a resource in Azure. Each **Connected Machine**
+has a Resource ID, is managed as part of a Resource Group inside a subscription, and benefits from standard Azure constructs such as Azure Policy and tagging.
+
+An agent package needs to be installed on each machine to connect it to Azure. The rest of this document explains the process in more detail.
+
+Machines will have a status of **Connected** or **Disconnected** based on how recently the agent has checked in. Each check-in is called a heartbeat. If a machine has not checked-in within the past 5 minutes, it will show as offline until connectivity is restored.  <!-- For more information on troubleshooting agent connectivity, see [Troubleshooting Azure Arc for servers](troubleshoot/arc-for-servers.md). -->
+
+![Connected servers](./media/overview/arc-for-servers-onboarded-servers.png)
+
+## Clients
+
+### Supported Operating Systems
+
+In Public Preview, we support:
+
+- Windows Server 2012 R2 and above
+- Ubuntu 16.04 and 18.04
+
+The Public Preview release is designed for evaluation purposes and should not be used to manage critical production resources.
+
+## Azure Subscription and Service Limits
+
+Please make sure you read the Azure Resource Manager limits, and plan for the number of the machines to be connected according to the guideline listed for the [subscription](../../azure-subscription-service-limits.md#subscription-limits---azure-resource-manager), and for the [resource groups](../../azure-subscription-service-limits.md#resource-group-limits). In particular, by default there is a limit of 800 servers per resource group.
+
+## Networking Configuration
+
+During installation and runtime, the agent requires connectivity to **Azure Arc service endpoints**. If outbound connectivity is blocked by Firewalls, make sure that the following URLs are not blocked by default. All connections are outbound from the agent to Azure, and are secured with **SSL**. All traffic can be routed via an **HTTPS** proxy. If you allow the IP ranges or domain names that the servers are allowed to connect to, you must allow port 443 access to the following Service Tags and DNS Names.
+
+Service Tags:
+
+* AzureActiveDirectory
+* AzureTrafficManager
+
+For a list of IP addresses for each service tag/region, see the JSON file - [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. See [Service tags](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags), for more details.
+
+These DNS Names are provided in addition to the Service Tag IP range information because the majority of services do not currently have a Service Tag registration and, as such, the IPs are subject to change. If IP ranges are required for your firewall configuration, then the **AzureCloud** Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic.
+
+| Domain Environment | Required Azure service endpoints |
+|---------|---------|
+|management.azure.com|Azure Resource Manager|
+|login.windows.net|Azure Active Directory|
+|dc.services.visualstudio.com|Application Insights|
+|agentserviceapi.azure-automation.net|Guest Configuration|
+|*-agentservice-prod-1.azure-automation.net|Guest Configuration|
+|*.his.hybridcompute.azure-automation.net|Hybrid Identity Service|
+
+### Installation Network Requirements
+
+Download the [Azure Connected Machine Agent package](https://aka.ms/AzureConnectedMachineAgent) from our official distribution servers the below sites must be accessible from your environment. You may choose to download the package to a file share and have the agent installed from there. In this case, the onboarding script generated from the Azure portal may need to be modified.
+
+Windows:
+
+* `aka.ms`
+* `download.microsoft.com`
+
+Linux:
+
+* `aka.ms`
+* `packages.microsoft.com`
+
+See the section [Proxy server configuration](quickstart-onboard-powershell.md#proxy-server-configuration), for information on how to configure the agent to use your proxy.
+
+## Register the required Resource Providers
+
+Once the 'Feature Flag' registration has been approved, you must register the required Resource Providers.
+
+* **Microsoft.HybridCompute**
+* **Microsoft.GuestConfiguration**
+
+You can register the resource providers with the following commands:
+
+Azure PowerShell:
+
+```azurepowershell-interactive
+Login-AzAccount
+Set-AzContext -SubscriptionId [subscription you want to onboard]
+Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
+Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration
+```
+
+Azure CLI:
+
+```azurecli-interactive
+az account set --subscription "{Your Subscription Name}"
+az provider register --namespace 'Microsoft.HybridCompute'
+az provider register --namespace 'Microsoft.GuestConfiguration'
+```
+
+You can also register the Resource Providers using the portal by following the steps under [Azure portal](../../azure-resource-manager/resource-manager-supported-services.md#azure-portal).
+
+## Supported Scenarios
+
+After you register a node you can start managing your nodes using other Azure services.
+
+In Public Preview, the following scenarios are supported for **Connected Machines**.
+
+## Guest Configuration
+
+After connect the machine to Azure, you can assign Azure policies to **Connected Machines** using the same experience as policy assignment to Azure virtual machines.
+
+For more information, see [Understand Azure Policy's Guest Configuration](../../governance/policy/concepts/guest-configuration.md).
+
+The Guest Configuration Agent logs for a **Connected Machine** are in the following locations:
+
+* Windows - `%ProgramFiles%\AzureConnectedMachineAgent\logs\dsc.log`
+* Linux: - `/opt/logs/dsc.log`
+
+## Log Analytics
+
+Log data collected by the [Microsoft Monitoring Agent (MMA)](https://docs.microsoft.com/azure/azure-monitor/log-query/log-query-overview) and stored in Log Analytics workspace will now contain properties specific to the machine such as **ResourceId**, which can be used for the Resource centric log access.
+
+- Machines that already have the MMA agent installed, will have **Azure Arc** functionality enabled via updated Management Packs.
+- [MMA agent version 10.20.18011 or above](https://docs.microsoft.com/azure/virtual-machines/extensions/oms-windows#agent-and-vm-extension-version) is required for Azure Arc for servers integration.
+- When querying for log data in [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/log-query-overview#log-queries), the returned data schema will contain the Hybrid **ResourceId** in the form `/subscriptions/<SubscriptionId/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridCompute/machines/<MachineName>`.
+
+For more information, see [Get started with Log Analytics in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-portal).
+
+<!-- MMA agent version 10.20.18011 and later -->
+
+## Next Steps
+
+There are two methods to connect machines using Azure Arc for servers.
+
+* **Interactively** - Follow the [Portal Quickstart](quickstart-onboard-portal.md) to generate a script from the portal and execute it on the machine. This is the best option if you are connecting one machine at a time.
+* **At Scale** - Follow the [PowerShell Quickstart](quickstart-onboard-powershell.md) to create a Service Principal to connect machines non-interactively.