I'm not too familiar with Azure beyond using it for email and identity services, and the majority of our servers are still on-premises. However, we're looking to onboard between 600 and 1400 servers to Azure Arc and potentially deploy Defender for Cloud as part of that process.
My main confusion lies in how to structure our subscriptions and resource groups effectively. It seems that the more subscriptions and resource groups we create, the more complicated the onboarding process will become, especially since we'll need to pinpoint which subscription and resource group each server should be onboarded to. It's crucial that these subscriptions and resource groups are set up correctly with the right access permissions.
I'm planning to use Ansible to deploy this to 500-600 Linux servers, but I'm also puzzled about how to handle Windows Server onboarding. Any advice on structuring these subscriptions and resource groups or best practices using Ansible would be greatly appreciated!
2 Answers
You can definitely use Ansible for Windows too! Another option is to create a CSV file and loop through it using PowerShell. We set up our environment to help with alerting and monitoring as we transitioned to a hybrid setup, using Azure scopes to target specific subscriptions. It sounds like a good opportunity to streamline your onboarding process by utilizing existing tools like Ansible.
But how does Ansible connect to Windows servers? Is it through WinRM? I think many of our servers don't have that configured. Plus, we need to figure out how to associate GPO or Ansible with the right subscription/resource group for onboarding.
Based on my experience consulting, there are two main approaches to structuring Azure Arc.
1. You can create a Cloud Adoption Framework to guide where your Arc-enabled servers should go, aligning with business operations, which requires a lot of groundwork before you enable Arc.
2. Alternatively, you could place all of your Arc-enabled servers in a single subscription, which is common for companies new to Azure. However, managing which resource group each server belongs to can become tricky, especially if you are managing Role-Based Access Control (RBAC). The good news is that re-enrolling Arc-enabled VMs is straightforward—remove the service and re-enroll them in a different subscription as needed.
Check this link for more insights on methods for enrolling servers: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal.
If you choose to enroll all Arc-enabled servers to a single subscription, one strategy is to use a single resource group. Resource Mover could effectively shift resource groups if needed, since Arc-enabled VMs don’t have a backend within Azure, so the operations for moving are quite quick.
I’ve used both methods for onboarding. Ansible documentation provides playbooks specifically for Azure Arc, which can be helpful. You can find the details here: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-ansible-playbooks. If you pair that with a CSV for your machine list in a loop, it can make things simpler.