Azure Arc Extensions Management and Updates

What are Azure Arc extensions

Azure Arc is a service offered by Microsoft Azure that allows customers to manage resources and applications, including servers, Kubernetes clusters, and applications running on-premises or in other clouds, from a single control plane in Azure. Azure Arc provides a unified management experience for these resources and applications, allowing customers to use the same tools, policies, and workflows that they use for Azure resources, to manage resources and applications running on-premises or in other clouds. The goal of Azure Arc is to provide customers with a consistent way to manage their resources and applications, regardless of where they are running.

Virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script in it, a VM extension can be used.

Azure Arc-enabled servers enables you to deploy, remove, and update Azure VM extensions to non-Azure Windows and Linux VMs, simplifying the management of your hybrid machine through their lifecycle.

When you deploy the Azure Arc-connected agent, you will most likely end up with different extensions that you want to enable.

Some extensions are:

• Microsoft Defender for Cloud
• Log Analytics Agent
• Azure Monitor Agents
• Azure Automation Hybrid Runbook worker extensions
• Windows Admin Center
• Custom Script Extension for Windows - Azure Arc

You can manage extensions trough:

• Azure portal
• Azure CLI
• Azure PowerShell
• Azure Resource Manager templates

Manage extension from the portal

After the onboarding is succeeded from the azure arc agent you can find the server in the portal. You can open the server view and click extensions. You see a list of all installed extensions. By default there are zero extensions installed or you have configured policies to install them.

You can find all assigned extensions, their statuses, and versions by selecting Extensions from the same page.

When you click add you get a list of which extensions you can install. Some extension need some extra configuration for example the Custom Script Extension for Windows extension. needs a storage account. In a another blog post I go to talk some more in details about installing specific extensions.

upgrade extension

You can upgrade extensions manual trough the portal. Go the extension tab. Click a extension and click the update button.

You will be informed about the update progress in the notifications box.

Azure Arc extensions with powershell

After the agent onboarding you can use the New-AzConnectedMachineExtension command-let to add the extension. The New-AzConnectedMachineExtension command is part of the Az.ConnectedMachine PowerShell module. You can download that from the PowerShell Gallery.

In the Az.ConnectedMachine PowerShell module we have three different command-lets around extension management.

First install the Az.ConnectedMachine with:

Install-Module -Name Az.ConnectedMachine

The *Get-AzConnectedMachineExtension give a lot off information about the extensions

In a new blog I will write about the New-AzConnectedMachineExtension and the custom script extensions.

Troubleshooting

You find some logging in the folder on the Azure Arc connected machine.

C:\ProgramData\GuestConfig\extension_logs\Microsoft.Compute.CustomScriptExtension

Automatic extension upgrade for Azure Arc-enabled servers

Automatic extension update is a new feature. With Automatic VM extension upgrades, extensions are automatically upgraded by Azure Arc whenever a new version of an extension is published. Auto extension upgrade is designed to minimize service disruption of workloads during upgrades even at high scale and to automatically protect customers against zero-day & critical vulnerabilities.
In the extension view in the column automatic upgrade you can see if is possible to upgrade a extension automatically. You can enable the automatic upgrade.

You can also use Azure CLI and Azure PowerShell to view the auto extension upgrade status and to opt-in or opt-out.

Limited set of extensions are currently supported for Auto extension upgrade. Extensions not yet supported for auto upgrade will have status as "Not supported" under the "Automatic upgrade status" column.

you can find a list of supported extensions here

Find Azure Arc Enabled Server extension with automatic update

You can use the Azure Resource Graph Explorer to find out which of your Azure Arc-enabled server extensions have enabled automatic upgrades. In your Azure portal go to Azure Resource Graph Explorer and use the following query:

1resources
2| where type =~ "microsoft.hybridcompute/machines/extensions"
3| project id, publisher = properties.publisher, type = properties.type, automaticUpgradesEnabled = properties.enableAutomaticUpgrade

Disable automatic updates from extensions

If you need to prevent an extension from automatically upgrading on a server (for example, if it has strict change windows and can only be updated at certain times), you can opt out of this behavior when deploying the extension by setting the enableAutomaticUpgrade property in your ARM template, PowerShell, or CLI command to false.

This example disables the automatic update for the OmsAgentForLinux wit powershell

1Set-AzConnectedMachineExtension -MachineName "ArcServerName" -Name "ExtensionName" -ResourceGroupName "MyRG" -Location "ArcServerLocation" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -ExtensionType "OmsAgentForLinux" -EnableAutomaticUpgrade:$false

Conclusion

Azure Arc extensions is a great framework to extend the capabilities of Azure Arc. With the automatic upgrade feature it is a lot easier to keep them up to date and safe. If you have any question leave a comment below or contact me.