Extend Azure Arc To System Center Virtual Machine Manager (SCVMM) – Comprehensive Guide

Updated – 19/02/2024 – Microsoft announced that Azure Arc-enabled SCVMM is now generally available (GA).

Azure Arc-enabled System Center VMM is a new feature of Azure Arc that is currently available in Public Preview. It allows the connection of on-premises System Center VMM environments to Azure, which in turn enables users to manage virtual machines through the consistent Azure Portal experience.

In this article, we will look at how to extend Azure Arc to System Center Virtual Machine Manager (SCVMM), then show you how to deploy your first VM on-premises through the Azure portal.

Introduction

As Microsoft Azure becomes increasingly important for building, deploying, and managing business-critical applications at scale, the hybrid cloud has become essential for many customers. The consistent management and security of diverse IT environments are crucial for scaling cloud-native applications and infrastructure.

To meet the need for flexibility and agility, Azure Arc was introduced, extending Azure so applications and services can run across data centers, edge, and multi-cloud environments. Azure Arc allows users to secure and govern their physical or virtual infrastructure and Kubernetes clusters anywhere with familiar Azure Management practices.

Last year, Microsoft announced the public preview of Azure Arc-enabled System Center Virtual Machine Manager, which enables on-premises System Center VMM environments to be connected to Azure.

With Azure Arc-enabled System Center Virtual Machine Manager (SCVMM), you can now manage and operate hundreds of physical servers and tens of thousands of virtual machines on-premises and in Azure, ensuring that these workloads can benefit from ongoing innovations in Azure.

This means that you can now create, manage, and delete virtual machines in System Center VMM deployments using the Azure Portal. Additionally, you can deploy and manage VMs in SCVMM by using ARM templates, ensuring that you can deploy Infrastructure as Code (IaC) in a consistent manner across both Azure and on-premises environments.

By using ARM templates, the DevOps teams can also utilize CI/CD pipelines to provision or update VMs along with application updates.

Extend Azure Arc To SCVMM Overview

With Azure Arc-enabled System Center Virtual Machine Manager, you can manage your Hybrid environment and carry out self-service virtual machine operations via the Azure portal. This solution serves as an alternative for Microsoft Azure Pack customers who want to perform self-service virtual machine operations.

You can use Arc-enabled System Center VMM to perform various virtual machine lifecycle operations, such as starting, stopping, pausing, and deleting VMs on VMM-managed VMs directly from Azure.

It also allows developers and application teams to perform on-demand self-service virtual machine operations using Azure role-based access control (RBAC).

Additionally, you can browse your VMM resources, including VMs, templates, VM networks, and storage, in Azure, providing you with a single pane view for your infrastructure across both environments. Furthermore, you can discover and onboard existing SCVMM-managed VMs to Azure.

Azure Arc-enabled SCVMM service was built to address the following supported scenarios:

> SCVMM administrators can connect their VMM instance to Azure and view the virtual machine inventory managed by SCVMM in Azure.

> By using the Azure portal, administrators and users can easily browse the SCVMM inventory and register the SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.

> Additionally, administrators can grant fine-grained permissions on these SCVMM resources to application teams and developers via Azure role-based access control (RBAC).

> Application teams and developers can use Azure interfaces, such as the Azure portal, Azure CLI, or REST API, to manage the lifecycle of on-premises virtual machines used for deploying their applications. They can perform CRUD operations, as well as start, stop, and restart on-premises VMs with ease.

Please note that at the time of this writing, Azure Arc-enabled SCVMM is still in (preview), and things might change before it reaches General Availability.

Prerequisites

To follow this article, you need to have the following:

1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.

2) Azure Resource Group (RG) where you have the Contributor role assigned.

3) SCVMM with the following requirements:

• You need an SCVMM management server running version 2016 or later. Check how to install System Center Virtual Machine Manager on Windows Server 2022.
• SCVMM admin account that can perform all administrative actions.
• SCVMM Private Cloud with a minimum free capacity of 16 GB of RAM, and 4 vCPUs with 100 GB of free disk space (more on this in the next section).
• SCVMM VM network with internet access, directly or through proxy.
• SCVMM VM template. You can use a VM template to create standalone VMs or to create VMs in tiers in a service template. Make sure the Capability Profile is selected in your VM templates (ESX Server or Hyper-V).

4) Azure Arc Resource Bridge VM deployed known as Azure Arc appliance. Arc resource bridge is a virtual appliance that connects the VMM management server to Azure. Azure Arc resource bridge enables you to represent the SCVMM resources (clouds, VMs, templates, etc.) in Azure and does various operations on them (more on this in the next section).

5) Resource bridge networking requirements. Please check the following firewall URL exceptions (outbound connectivity) that are needed for the Azure Arc resource bridge VM.

6) At the time of this writing, Azure Arc-enabled SCVMM (public preview) is currently supported in the following three regions: East US, East US 2, and West Europe.

7) You need either Azure CLI version 2.47.0 or higher installed on your workstation. At the time of this writing, we are using version 2.47.0. You can check the CLI version on your machine and upgrade its version with the following commands:

# Check Azure CLI version
az --version

# Upgrade Azure CLI
az upgrade

Create an SCVMM Private Cloud

In VMM, before deploying VMs and services to a private cloud, you need to set up the private cloud fabric.

Three resources are included in the fabric of VMM 2016 or later:

Servers: These contain virtualization hosts (Hyper-V and VMware servers) and groups, PXE, update servers (that is, WSUS), and other servers.

Networking: This contains the network fabric and device configuration (for example, gateways, virtual switches, and network virtualization); it presents the wiring between resource repositories, running instances, VMs, and services.

Storage: This contains the configuration for storage connectivity and management, simplifying storage complexities, and how storage is virtualized. For example, you can configure the SMI-S and SMP providers or a Windows Server 2022 SMB 3.0 file server.

By using VMM 2016 or later and deploying a private cloud, you will be able to offer a unique experience for creating VMs and services, which will in turn lead to the consumerization of IT.

Private cloud deployment allows resource pooling, where you can present a comprehensive set of fabric resources but limit it to quotas that can be increased or decreased, providing fully optimized elasticity without affecting the private cloud’s overall user experience.

In addition to this, you can also delegate the management to tenants and self-service users who will not know physical infrastructures, such as clusters, storage, and networking.

You need to have the following fabric resources created before you create a VMM private cloud:

• Network: Make sure you have configured the logical network and assigned it to the physical network beforehand.
• Storage: Only storage classifications for storage pools that are assigned to the selected host groups appear in the list.
• Library servers and shares: The library shares that you designate as read-only resource locations for the private cloud must be unique when compared to the library share or shares that are used for stored virtual machines and for the user role data path that is specified for a self-service user role. You could also create entirely separate library shares.
• Create the host groups.
• Add the hosts.

Take out the following steps to create your private cloud in SCVMM:

1) Connect to the VMM console by using the VMM admin account, and then in the bottom-left pane, click on VMs and Services to open the VMs and Services workspace.

2) Under the Home tab on the ribbon, click on Create Cloud.

3) In the Create Cloud Wizard window, enter the desired private cloud’s name. In this example, we are not using shielded VM support.

4) On the Resources page, select between the following options:

• Select Host groups, then select the host group(s) that will be added to this private cloud, and then click on Next.
• Or select VMware resources pools, then select a VMware resource pool from the drop-down list, and then click on Next.

5) On the Logical Networks page, select the logical network(s) that will be made available to this private cloud and then click on Next.

6) On the Load Balancers page, if you have a load balancer deployed and integrated with VMM, select it and click on Next. Only associated load balancers will be displayed, for example, Microsoft Network Load Balancing (NLB).

7) On the VIP Templates page, select the VIP template(s), if any, that will be available to this private cloud, and click on Next. A virtual IP (VIP) template contains load-balanced settings for a specific type of network traffic (for example, HTTPS traffic). After you create a VIP template, you can specify it in this step.

8) On the Port Classifications page, select each port classification that you want to make available to the cloud and click on Next. For example, High, Medium, and Low bandwidth.

9) On the Storage page, if you do have storage managed by VMM and if there are storage classifications for storage pools assigned to selected host groups, then select the storage classification that will be available to this private cloud (for example, Remote Storage) and click on Next.

10) On the Library page, provide the Stored VM path by clicking on Browse, and in the Select Destination Folder dialog box, click on the library server and then select a library or a folder in the share to be used as the location for self-service users to store VMs in (for example, CloudVMs); then click on OK.

Please note that this must be a full unique path and does not overlap with the read-only library shares in Step 11. Otherwise, you will receive the following error:

Ensure that the path or part of the path that you provided is not used as a writable library share path on a private cloud, a read-only share path on a private cloud, or a user role data path on a self-service user role. ID: 23505

Here is an example we used for the library shares to store the VM under the CloudVMs share path, and the default read-only library shares under SCVMMLibrary.

11) In the Read-only library shares section, click on Add, select the library share(s) for read-only resources, as shown in the figure below, click on OK to confirm, and then click on Next.

12) On the Capacity page, configure the capacity limits and then click on Next. You can manually set quotas for the Virtual CPUs, Memory (GB), Storage (GB), Custom quota (points), and Virtual machine dimensions, as shown in the figure below. As noted in the prerequisites section, a private cloud should have a minimum free capacity of 16 GB of RAM, and 4 vCPUs with 100 GB of free disk space. To use quotas, deselect Use Maximum, as shown in the figure below, and set the desired quota numbers.

13) On the Capability Profiles page, select the VM capability profile(s) that matches the hypervisor running on the selected host group(s)—for example, Hyper-V—and click on Next.

14) On the Replication Groups page, select the storage replica groups for the cloud, if any, and click on Next.

15) On the Storage QoS Policies page, select the policies that you want to assign to this private cloud, if any, and click on Next.

16) On the Summary page, click on Finish.

For more information about SCVMM Private Cloud, please refer to Microsoft documentation.

Download SCVMM Onboarding Script

Once your SCVMM private cloud is ready and you have the appropriate permissions. We move into downloading the onboarding script from Azure Arc that will help to bridge your SCVMM environment and Azure Arc.

Take the following steps to download the onboarding script:

1) Launch the Azure portal, then search and select Azure Arc. In the Overview page, select Add in Add your infrastructure for free as shown in the figure below, or select the Infrastructure tab.

2) In the Platform section, select Add under System Center VMM (preview).

3) On the Connect SCVMM management server to Azure page, you can create a new resource bridge (the default), or use an existing resource bridge. In this example, we will create a new resource bridge. Click Next >.

4) On the Basics tab, provide the following details:

• Name: Provide a name for the Azure Arc resource bridge.
• Subscription: Select a subscription where you want to create the resource bridge.
• Resource group: Select a resource group where you want to create the resource bridge.
• Region: Select an Azure location where you want to store the resource metadata. At the time of this writing, the supported regions are East US, East US 2, and West Europe.

5) Under the Custom location, provide the following details:

• Name: This is the name that you’ll see when you deploy virtual machines. Name it for the data center or the physical location of your data center.
• Leave the option Use the same subscription and resource group as your resource bridge selected.

6) Under the SCVMM management server, provide the following details:

• Name: Provide a name for your SCVMM management server instance in Azure.
• Leave the option Use the same subscription and resource group as your resource bridge selected.

7) Select Next: Tags > and provide the details of your physical location such as Datacenter, City, StateOrDistric, and CountryOrRegion.

8) Select Next: Download and run script >. If your subscription isn’t registered with all the required resource providers, select Register as shown in the figure below to proceed and register your subscription. This will take a couple of minutes to complete.

9) Once the registration is completed, select the operating system of your workstation (Windows or Linux), then download the PowerShell or Bash script and copy it to the workstation.

10) Select Close.

Deploy Azure Arc Resource Bridge Appliance

To onboard SCVMM to Azure Arc, you would require deploying a virtual appliance called the Arc Resource Bridge on VMM. The Arc resource Bridge acts as a gateway connecting the System Center Virtual Machine Manager and Azure.

The Resource Bridge hosts the necessary agents and extensions required to communicate with Azure and provide the required representation of the SCVMM resources on Azure.

After you’ve downloaded the required script based on your operating system, carry out the following steps to run the script. In this example, we will be running the script on a Windows machine.

1) Open a new PowerShell window as administrator and verify if Azure CLI is successfully installed in the workstation, use the following command:

az --version

2) Next, navigate to the folder where you’ve downloaded the PowerShell script, then run the following command to allow the script to run since it’s an unsigned script:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

3) Last, run the script as follows:

.\resource-bridge-onboarding-script.ps1

Please note that the script execution will take around half an hour and you’ll be prompted for various input information as follows:

• Is the current workstation behind a proxy?
• Confirm login to Azure CLI.
• Please enter SCVMM Server FQDN(Role name in case of HAVMM) or IP address.
• Please enter the SCVMM server port (The default is 8100).
• Please enter SCVMM Administrator Username (domain\username).
• Please enter SCVMM Administrator Password.
• Deploy resource bridge as a Highly Available virtual machine (Y/N) (Enter ‘Y’ for Highly available virtual machine and ‘N’ for standalone VM. Microsoft recommends a Highly available virtual machine for production environment)
• Please enter the SCVMM cloud – Type the number of your VMM Private Cloud.
• Do you want to configure the Appliance VM with Dynamic IP (from DHCP or third-party IP assignment tool) or Static IP (from VMM IP Pool)? Enter ‘Y’ for Dynamic IP or Enter ‘N’ for Static IP (Y/N).
• Please enter the SCVMM VM network – Type the number of your Logical Network.
• Please enter SCVMM Static IP Pool – Type the number of your IP Pool.
• Please enter Static MAC address (Press enter to assign MAC from Default VMM MAC Pool).
• Please enter SCVMM library share (Ensure VMM Server has to write access on the selected Library Share) – Type the number of your writable VMM Library share.
• In case you choose to deploy resource bridge as a Highly Available VM. Please provide the Appliance cluster configuration and enter the Appliance control plane IP.
• Do you want to configure Appliance proxy settings?

Once you finish entering all the required details, the setup will start to download the image and prepare to deploy the Azure Arc Resource Bridge VM.

In the last step (connecting to the VMM Server), you need to provide the VMM Server details (VMM Server FQDN or IP address), the server port number (default: 8100), the VMM username, and the password. These credentials will be used when you perform SCVMM operations through the Azure portal. You can provide the same credentials that you provided for Arc Resource Bridge earlier. However, we recommend using a dedicated admin account for this.

Once the connection is completed, your SCVMM will be onboarded to Azure Arc!

If you switch to the SCVMM console, you can see the Azure Arc resource bridge appliance (control plane) installed in your private cloud and running as shown in the figure below.

The SCVMM Arc appliance is a Generation 2 Linux VM, and more specifically it has CBL-Mariner version 2.0 which is a free and open-source Linux distribution that Microsoft has developed. It is the base container OS for Microsoft Azure services and the graphical component of WSL 2. The Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products.

The Arc resource bridge is a packaged virtual machine that hosts a management Kubernetes cluster and requires minimal user management. The appliance is deployed on SCVMM infrastructure, and an ARM resource of Arc resource bridge is created in Azure.

After successful deployment, it’s recommended to maintain the state of Arc Resource Bridge VM as online (highly available). Intermittently appliance might become unreachable when you shut down and restart the VM.

You should also save the following config YAML files of the appliance, infrastructure, and resource in a secure location. The config files are required to perform management operations on the resource bridge.

Enable SCVMM Inventory Resources From Azure

Once you have connected the SCVMM management server to Azure, the next step is to enable SCVMM inventory resources from the Azure Arc center.

Open the Azure portal and access your SCVMM management server by going to Azure Arc center blade, and then select SCVMM management servers under the Infrastructure section as shown in the figure below.

You can now see your SCVMM resources in Azure. When you project them to Azure and assign permissions, you can use them for creating new SCVMM virtual machines in your data center.

Under the SCVMM inventory section, you can browse the Virtual machines (VMs), VMM clouds, VM networks, and VM templates.

Then, under each inventory, you need to select and enable one or more SCVMM resources in Azure, so you can create an Azure resource representing your SCVMM resource.

In this example, we need to enable SCVMM Clouds, VM templates, and VM networks. Go to the SCVMM inventory resources blade, then select the resource(s) you want to enable and select Enable in Azure as shown in the figure below.

Next, on the Enable in Azure page, select your Azure subscription and Resource Group and then select Enable as shown in the figure below.

The deployment will be initiated, and it will create a resource in Azure, representing your SCVMM resources.

IMP: Please note that you need to repeat above steps for one or more VM networks and VM template resources, so you can consume those resources during the deployment (more on this in the next section) .

Furthermore, enabling these resources allows you to manage access to these resources through the Azure role-based access control (RBAC) granularly.

Last, if you have already virtual machines in your SCVMM environment, you can also enable existing VMs in Azure by going to the virtual machines blade under the SCVMM inventory. Then select the desired VMs you want to enable, as shown in the figure below, and select Enable in Azure.

The deployment will be initiated, and it will create a resource in Azure, representing your SCVMM VMs.

Create a VM on SCVMM Using Azure Arc

Once you have connected the SCVMM management server to Azure, represented VMM resources such as private clouds, and VM templates in Azure, and you have the required permissions on those resources, you’ll be able to create a virtual machine in the Azure portal.

Open the Azure portal. Select Azure Arc as the service and then select Azure Arc virtual machine from the left blade.

Then click + Create, to open the Create an Azure Arc virtual machine page.

Under Basics > Project details, select the desired Subscription and Resource group where you want to deploy the VM.

Next, under the Instance details, you need to provide the following details:

• Virtual machine name – Enter the name of the virtual machine.
• Custom location – Select the custom location that your SCVMM admin has shared with you.
• Virtual machine kind – Select System Center Virtual Machine Manager.
• Cloud – Select the target SCVMM private cloud.
• Availability set (Optional) – You can use availability sets to identify virtual machines that you want VMM to keep on separate hosts for improved continuity of service.

Under Template details – Choose the VM template for deployment. Please note that you need to have a VM template created in VMM and enabled in Azure to use it. As a side note, make sure the Capability Profile is selected in your VM templates (ESX Server or Hyper-V).

You can also override template defaults and choose a different computer name (the name must contain no more than 15 characters), set CPU cores, memory, memory type, and dynamic memory range.

Under the Administrator account, provide the username, password, and confirm password.

Click Next: Disks > Under Disks, you can optionally change the disks configured in the template. You can add more disks or update existing disks.

Under Networking, you can optionally change the network interfaces configured in the template. You can add Network interface cards (NICs) or update the existing NICs. You can also change the network that this NIC will be attached to if you have appropriate permissions to the network resource.

Next, under Advanced, you can enable processor compatibility mode if required. Enable processor compatibility mode for live migration of VMs between virtualization hosts that may use different generations of processors.

In Windows Server, Microsoft recommends turning on processor compatibility mode only before VM migration scenarios, and then turning it off when the migration is complete.

Next, under Tags, you can optionally add tags to the VM resource. Please note that custom properties defined as tags in Azure will be synced to SCVMM Management Server, as well as custom properties defined for the VM in SCVMM, will be synced as tags in Azure.

Last, under Review + Create, review all the properties. You can also download the ARM template for automation later on, and finally hit Create.

The VM will be created in a few minutes, as shown in the figure below.

Then you can go to the resource blade and Start the VM in your data center from Azure.

Switching back to the SCVMM console, we can see that the VM is successfully deployed and running in our private cloud data center, as shown in the figure below.

Enable Guest Management

With the guest management capability in Azure Arc-enabled System Center VMM, you will be able to install Arc agents on virtual machine(s) VMs managed by SCVMM directly from the Azure portal.

Assuming you have all the prerequisites as described earlier in this article. To enable guest management, do the following:

1) Sign in to the Azure portal, search for SCVMM management servers, and select it.

2) Next, select the desired virtual machine(s) under SCVMM inventory.

3) Select Configuration under settings, and then select Enable guest management.

4) Next, you need to choose how the connected machine agent running in the VM should connect to the Internet (Public endpoint or Proxy server). If you are using a proxy server, you need to provide the proxy server URL address. The VM should be turned on and can connect through the firewall to communicate over the internet. This setting only applies to the Arc agent.

5) Next, you need to provide the administrator username and password to enable guest management which will install Arc agent. Then click Enable.

Once guest management is enabled, you can’t disable it from the VM Configuration blade in Azure. To do so, you have to uninstall the Azure Arc agent manually from the VM as described in the following article from the Control Panel or from the command line.

When you Enable guest management, it will enable Azure extensions like Azure management services (Update Manager, Microsoft Defender for Cloud, VM insights for SCVMM VMs, etc.). Your credentials won’t be stored in Azure. They’ll be used only to install the Azure-connected machine Arc agent and then discarded.

That’s it, there you have it!

FAQs

Enable in Azure vs. Enable guest management

The “Enable in Azure” operation creates an Azure ARM resource for the on-premises VM. It allows you to perform virtual hardware operations (modify disk, network, etc.) and power operations (start/stop, etc.). This operation will not install the Arc agent (Azure Connected Machine agent).

The “Enable guest management” operation will install the Arc agent and allow you to use Azure management services like Defender for Cloud, Azure Update Manager, etc.

Summary

In this article, we showed you how to extend Azure Arc to System Center Virtual Machine Manager (SCVMM), deployed the Azure Arc resource bridge appliance, and provisioned the first VM in our on-premises data center from the Azure portal.

Through the Azure Arc resource bridge capability, you can connect an SCVMM management server to Azure by deploying the Azure Arc resource bridge VM in your VMM environment. Azure Arc resource bridge enables you to represent the SCVMM resources (clouds, VMs, templates, networks, etc.) in Azure and perform various operations on them such as:

• Start, stop, and restart a virtual machine.
• Control access and add Azure tags.
• Add, remove, and update network interfaces.
• Add, remove, and update disks and update VM size (CPU cores and memory).

The Arc Resource Bridge is a pre-configured virtual machine that contains a Kubernetes cluster for managing resources. It requires very little user intervention and is deployed on-premises which connects Azure to your SCVMM management server.

Once the virtual machine is set up, an ARM resource is created in Azure, and the two resources are connected. This connection enables VM self-service and management from Azure. The resource bridge also utilizes guest management to tag local resources, which makes them accessible in Azure.

Once the bridge is deployed, you can use Azure Arc to manage your SCVMM infrastructure and deploy Azure services within minutes.

> Learn more about Azure Arc-enabled System Center Virtual Machine Manager.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-