Merge pull request #183839 from MicrosoftDocs/master

12/30/2021 AM Publish

Author: Taojunshen

articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md

@@ -4,7 +4,7 @@ description: List of services that support managed identities for Azure resource
 services: active-directory
 author: barclayn
 ms.author: barclayn
-ms.date: 10/26/2021
+ms.date: 11/09/2021
 ms.topic: conceptual
 ms.service: active-directory
 ms.subservice: msi
@@ -81,6 +81,15 @@ All Azure Arc-enabled servers have a system assigned identity. You cannot disabl
 - [Authenticate against Azure resources with Azure Arc-enabled servers](../../azure-arc/servers/managed-identity-authentication.md)
 - [Using a managed identity with Azure Arc-enabled servers](../../azure-arc/servers/security-overview.md#using-a-managed-identity-with-azure-arc-enabled-servers)
 
+### Azure Arc resource bridge
+
+| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
+| --- | :-: | :-: | :-: | :-: |
+| System assigned | ![Available][check] | Not available | Not available | Not available |
+| User assigned | Not available | Not available | Not available | Not available |
+
+Azure Arc resource bridge currently [supports system assigned identity](../../azure-arc/resource-bridge/security-overview.md). The managed service identity is used by agents in the resource bridge for communication with Azure.
+
 ### Azure Automanage
 
 | Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -116,7 +125,6 @@ Refer to the following list to use a managed identity with [Azure Blueprints](..
 - [Azure portal - blueprint assignment](../../governance/blueprints/create-blueprint-portal.md#assign-a-blueprint)
 - [REST API - blueprint assignment](../../governance/blueprints/create-blueprint-rest-api.md#assign-a-blueprint)
 
-
 ### Azure Cognitive Search
 
 Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -144,7 +152,6 @@ Refer to the following list to configure managed identity for Azure Container In
 - [Azure Resource Manager template](~/articles/container-instances/container-instances-managed-identity.md#enable-managed-identity-using-resource-manager-template)
 - [YAML](~/articles/container-instances/container-instances-managed-identity.md#enable-managed-identity-using-yaml-file)
 
-
 ### Azure Container Registry Tasks
 
 Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -238,7 +245,6 @@ Managed identity type | All Generally Available<br>Global Azure Regions | Azure
 | System assigned | ![Available][check] | ![Available][check] | Not available | Not available |
 | User assigned | Preview | ![Available][check] | Not available | Not available |
 
-
 For more information, see [Use managed identities in Azure Kubernetes Service](../../aks/use-managed-identity.md).
 
 ### Azure Log Analytics cluster
@@ -257,7 +263,6 @@ Managed identity type | All Generally Available<br>Global Azure Regions | Azure
 | System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |
 | User assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |
 
-
 Refer to the following list to configure managed identity for Azure Logic Apps (in regions where available):
 
 - [Azure portal](../../logic-apps/create-managed-service-identity.md#enable-system-assigned-identity-in-azure-portal)
@@ -298,7 +303,6 @@ Refer to the following list to configure managed identity for Azure Policy (in r
 - [Azure Resource Manager templates](/azure/templates/microsoft.authorization/policyassignments)
 - [REST](/rest/api/policy/policyassignments/create)
 
-
 ### Azure Service Fabric
 
 [Managed Identity for Service Fabric Applications](../../service-fabric/concepts-managed-identity.md) is available in all regions.
@@ -344,8 +348,6 @@ Refer to the following list to configure managed identity for Azure Virtual Mach
 - [Azure Resource Manager templates](qs-configure-template-windows-vm.md)
 - [REST](qs-configure-rest-vm.md)
 
-
-
 ### Azure Virtual Machines
 
 | Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -362,7 +364,6 @@ Refer to the following list to configure managed identity for Azure Virtual Mach
 - [REST](qs-configure-rest-vm.md)
 - [Azure SDKs](qs-configure-sdk-windows-vm.md)
 
-
 ### Azure VM Image Builder
 
 | Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -504,5 +505,4 @@ Managed identity type | All Generally Available<br>Global Azure Regions | Azure
 > [!NOTE]
 > You can use Managed Identities to authenticate an [Azure Stream analytics job to Power BI](../../stream-analytics/powerbi-output-managed-identity.md).
 
-
-[check]: media/services-support-managed-identities/check.png "Available"
+[check]: media/services-support-managed-identities/check.png "Available"

articles/azure-arc/breadcrumb/toc.yml

@@ -12,3 +12,6 @@
   - name: Azure Arc
     tocHref: /azure-arc/kubernetes/
     topicHref: /azure/azure-arc/index
+  - name: Azure Arc
+    tocHref: /azure-arc/vmware-vsphere/
+    topicHref: /azure/azure-arc/index

articles/azure-arc/index.yml

@@ -10,9 +10,9 @@ metadata:
   description: Learn how to deploy resources to complex and distributed environments across on-premises, edge and multicloud. Azure Arc enables deployment of Azure services anywhere and extends Azure management to any infrastructure.
   ms.service: azure-arc
   ms.topic: hub-page
-  author: MGoedtel
+  author: mgoedtel
   ms.author: magoedte
-  ms.date: 06/28/2021
+  ms.date: 10/25/2021
   ms.custom: e2e-hybrid
 
 # highlightedContent section (optional)
@@ -133,3 +133,12 @@ conceptualContent:
         - url: /sql/sql-server/azure-arc/configure-advanced-data-security
           itemType: how-to-guide
           text: Configure advanced data security
+    # Card
+    - title: Azure Arc-enabled private clouds
+      links:
+        - url: /resource-bridge/overview
+          itemType: overview
+          text: Azure Arc resource bridge overview
+        - url: /vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script
+          itemType: quickstart
+          text: Connect your VMware vCenter to Azure Arc

articles/azure-arc/platform/conceptual-custom-locations.md

@@ -0,0 +1,46 @@
+---
+title: "Overview of Custom Locations with Azure Arc"
+services: azure-arc
+ms.service: azure-arc
+ms.date: 10/13/2021
+ms.topic: conceptual
+author: mgoedtel
+ms.author: magoedte
+description: "This article provides a conceptual overview of Custom Locations capability of Azure Arc"
+---
+
+# What is a Custom location?
+
+As an extension of the Azure location construct, *Custom Locations* provides a reference as deployment target which administrators can setup, and user can point to, when creating an Azure resource. It abstracts the backend infrastructure details from application developers, database admin users, or other users in the organization. Since Custom Locations is an Azure Resource Manager resource that supports [Role based Access Control](../../role-based-access-control/overview.md) (RBAC), an administrator or operator can determine which users have access to create resource instances on:
+
+* A namespace within a Kubernetes cluster to target deployment of Azure Arc-enabled SQL Managed Instance and Azure Arc-enabled PostgreSQL Hyperscale instances.
+* The compute, storage, networking, and other vCenter or Azure Stack HCI resources to deploy and manage VMs.
+
+They are represented by a custom location by assigning RBAC permissions to users within your organization on the custom location.
+
+For example, a cluster operator can create a custom location **Contoso-Michigan-Healthcare-App** representing a namespace on a Kubernetes cluster in your organization's Michigan Data Center and assign permissions to application developers on this custom location to deploy healthcare related web applications without the developer having to know details of the namespace and Kubernetes cluster where the application would be deployed on.
+
+On Arc-enabled Kubernetes clusters, Custom Locations represents an abstraction of a namespace within the Azure Arc-enabled Kubernetes cluster. Custom Locations creates the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the cluster. These other Azure services require cluster access to manage resources you want to deploy on your clusters.
+
+## Architecture for Arc-enabled Kubernetes
+
+When an administrator enables the Custom Locations feature on the cluster, a ClusterRoleBinding is created on the cluster, authorizing the Azure AD application used by the Custom Locations Resource Provider (RP). Once authorized, Custom Locations RP can create ClusterRoleBindings or RoleBindings needed by other Azure RPs to create custom resources on this cluster. The cluster extensions installed on the cluster determines the list of RPs to authorize.
+
+[ ![Use custom locations](../kubernetes/media/conceptual-custom-locations-usage.png) ](../kubernetes/media/conceptual-custom-locations-usage.png#lightbox)
+
+[!INCLUDE [preview features note](../kubernetes/includes/preview/preview-callout.md)]
+
+When the user creates a data service instance on the cluster:
+1. The **PUT** request is sent to Azure Resource Manager.
+1. The **PUT** request is forwarded to the Azure Arc-enabled Data Services RP.
+1. The RP fetches the `kubeconfig` file associated with the Azure Arc-enabled Kubernetes cluster, on which the Custom Location exists.
+   * Custom Location is referenced as `extendedLocation` in the original PUT request.
+1. Azure Arc-enabled Data Services RP uses the `kubeconfig` to communicate with the cluster to create a custom resource of the Azure Arc-enabled Data Services type on the namespace mapped to the Custom Location.
+   * The Azure Arc-enabled Data Services operator was deployed via cluster extension creation before the Custom Location existed.
+1. The Azure Arc-enabled Data Services operator reads the new custom resource created on the cluster and creates the data controller, translating into realization of the desired state on the cluster.
+
+The sequence of steps to create the SQL managed instance and PostgreSQL instance are identical to the sequence of steps described above.
+
+## Next steps
+
+* Use our quickstart to [connect a Kubernetes cluster to Azure Arc](../kubernetes/quickstart-connect-cluster.md). Then [Create a custom location](../kubernetes/custom-locations.md) on your Azure Arc-enabled Kubernetes cluster.

articles/azure-arc/resource-bridge/media/overview/architecture-overview.png

@@ -0,0 +1,115 @@
+---
+title: Azure Arc resource bridge (preview) overview
+description: Learn how to use Azure Arc resource bridge (preview) to support VM self-servicing on Azure Stack HCI, VMware, and System Center Virtual Machine Manager.
+ms.date: 11/08/2021
+ms.topic: overview
+ms.custom: references_regions 
+---
+
+# What is Azure Arc resource bridge (preview)?
+
+Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware. The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:
+
+* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster
+* It is fully supported by Microsoft, including update of core components.
+* Designed to recover from software failures.
+* Supports deployment to any private cloud hosted on Hyper-V or VMware from the Azure portal or using the Azure Command-Line Interface (CLI).
+
+All management operations are performed from Azure, no local configuration is required on the appliance.
+
+## Overview
+
+Azure resource bridge (preview) hosts other components such as Custom Locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:
+
+* The base layer that represents the resource bridge and the Arc agents
+* The platform layer that includes the Custom Location and Cluster extension
+* The solution layer for each service supported by Arc resource bridge (that is, the different type of VMs).
+
+:::image type="content" source="media/overview/architecture-overview.png" alt-text="Azure Arc resource bridge architecture diagram." border="false":::
+
+Azure Arc resource bridge (preview) can host other Azure services or solutions running on-premises. For this preview, there are two objects hosted on the Arc resource bridge (preview):
+
+* Cluster extension: Is the Azure service deployed to run on-premises. For the preview release, it supports two services:
+
+   - Azure Arc-enabled VMware
+
+   - Azure Arc-enabled Azure Stack HCI
+
+* Custom Locations: Is a deployment target, where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the Custom Locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.
+
+Custom Locations and cluster extension are both Azure resources, they are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.
+
+There is a set of resources unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.
+
+To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the Custom Locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted. You won't be able to start/stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.
+
+## Benefits of Azure Arc resource bridge (preview)
+
+Through the Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:
+
+* VMware vSphere - By registering resource pools, networks, and VM templates in Azure you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to not only manage access to your vCenter resources in Azure to maintain a secure environment, but also to perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:
+
+- Start, stop, and restart a virtual machine
+- Control access and add Azure tags
+- Add, remove, and update network interfaces
+- Add, remove, and update disks and update VM size (CPU cores and memory)
+- Enable guest management
+- Install extensions
+
+* Azure Stack HCI - You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.
+
+## Prerequisites
+
+[Azure CLI](/cli/azure/install-azure-cli) is required to deploy the Azure Arc resource bridge on supported private cloud environments.
+
+If you are deploying on VMware, a x64 Python environment is required. The [pip](https://pypi.org/project/pip/) package installer for Python is also required.
+
+If you are deploying on Azure Stack HCI, the x32 Azure CLI installer can be used to install Azure CLI.
+
+### Supported regions
+
+Azure Arc resource bridge currently supports the following Azure regions:
+
+- East US
+
+- West Europe
+
+### Regional resiliency
+
+While Azure has a number of redundancy features at every level of failure, if a service impacting event occurs, this preview release of Azure Arc resource bridge does not support cross-region failover or other resiliency capabilities. In the event of the service becoming unavailable, the on-premises VMs continue to operate unaffected. Management from Azure is unavailable during that service outage.
+
+### Private cloud environments
+
+The following private cloud environments and their versions are officially supported for the Azure Arc resource bridge:
+
+* VMware vSphere version 6.5
+* Azure Stack HCI
+
+### Required Azure permissions
+
+* To onboard the Arc resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
+
+* To read, modify, and delete the resource bridge, you are a member of the **Name of role** role in the resource group.
+
+### Networking
+
+The Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.
+
+If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.
+
+URLS:
+
+| Agent resource | Description |
+|---------|---------|
+|`https://mcr.microsoft.com`|Microsoft container registry|
+|`https://*.his.arc.azure.com`|Azure Arc Identity service|
+|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|
+|`https://*.servicebus.windows.net`|Cluster connect|
+|`https://guestnotificationservice.azure.com` |Guest notification service|
+|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|
+|`https://ecpacr.azurecr.io` |Resource bridge container image download |
+|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |
+
+## Next steps
+
+To learn more about how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure, see the following [Overview](/vmware-vsphere/overview.md) article.