diff --git a/docs/azure_jumpstart_arcbox/DataOps/arch_dataops.png b/docs/azure_jumpstart_arcbox/DataOps/arch_dataops.png index b1c1b140..072fe5b2 100644 Binary files a/docs/azure_jumpstart_arcbox/DataOps/arch_dataops.png and b/docs/azure_jumpstart_arcbox/DataOps/arch_dataops.png differ diff --git a/docs/azure_jumpstart_arcbox/DevOps/arch_devops.png b/docs/azure_jumpstart_arcbox/DevOps/arch_devops.png index caa55b44..98d5668f 100644 Binary files a/docs/azure_jumpstart_arcbox/DevOps/arch_devops.png and b/docs/azure_jumpstart_arcbox/DevOps/arch_devops.png differ diff --git a/docs/azure_jumpstart_arcbox/Full/_index.md b/docs/azure_jumpstart_arcbox/Full/_index.md deleted file mode 100644 index 4bccd014..00000000 --- a/docs/azure_jumpstart_arcbox/Full/_index.md +++ /dev/null @@ -1,658 +0,0 @@ ---- -type: docs -linkTitle: "ArcBox Full" -weight: 2 ---- - -# Jumpstart ArcBox "Full" Edition - -## Overview - -ArcBox is a solution that provides an easy to deploy sandbox for all things Azure Arc. ArcBox is designed to be completely self-contained within a single Azure subscription and resource group, which will make it easy for a user to get hands-on with all available Azure Arc technology with nothing more than an available Azure subscription. - -![Screenshot showing ArcBox architecture diagram](./arch_full.png) - -### Use cases - -- Sandbox environment for getting hands-on with Azure Arc technologies -- Accelerator for Proof-of-concepts or pilots -- Training tool for Azure Arc skills development -- Demo environment for customer presentations or events -- Rapid integration testing platform -- Infrastructure-as-code and automation template library for building hybrid cloud management solutions - -## Azure Arc capabilities available in ArcBox - -### Azure Arc-enabled servers - -![Screenshot showing ArcBox Arc-enabled servers diagram](./servers.png) - -ArcBox includes five Azure Arc-enabled server resources that are hosted using nested virtualization in Azure. As part of the deployment, a Hyper-V host (_ArcBox-Client_) is deployed with five guest virtual machines. These machines, _ArcBox-Win2k22_, _ArcBox-Win2k19_, _ArcBox-SQL_, _ArcBox-Ubuntu-01_, and _ArcBox-Ubuntu-02_ are connected as Azure Arc-enabled servers via the ArcBox automation. - -### Azure Arc-enabled Kubernetes - -![Screenshot of ArcBox Arc-enabled Kubernetes diagram](./k8s.png) - -ArcBox deploys one single-node Rancher K3s cluster running on an Azure virtual machine. This cluster is then connected to Azure as an Azure Arc-enabled Kubernetes resource (_ArcBox-K3s_). - -### Azure Arc-enabled data services - -ArcBox deploys one single-node Rancher K3s cluster (_ArcBox-CAPI-MGMT_), which is then transformed to a [Cluster API](https://cluster-api.sigs.k8s.io/user/concepts.html) management cluster using the Cluster API Provider Azure(CAPZ), and a workload cluster is deployed onto the management cluster. The Azure Arc-enabled data services and data controller are deployed onto this workload cluster via a PowerShell script that runs when first logging into _ArcBox-Client_ virtual machine. - -![Screenshot of ArcBox Arc-enabled data services diagram](./dataservices2.png) - -### Hybrid Unified Operations - -ArcBox deploys several management and operations services that work with ArcBox's Azure Arc resources. These resources include an Azure Log Analytics workspace, an Azure Monitor workbook, Azure Policy assignments for deploying Azure Monitor agents on Windows and Linux Azure Arc-enabled servers, Azure Policy assignment for adding tags to resources, and a storage account used for staging resources needed for the deployment automation. - -![ArcBox unified operations diagram](./unifiedops.png) - -## ArcBox Azure Consumption Costs - -ArcBox resources generate Azure Consumption charges from the underlying Azure resources including core compute, storage, networking and auxiliary services. Note that Azure consumption costs vary depending the region where ArcBox is deployed. Be mindful of your ArcBox deployments and ensure that you disable or delete ArcBox resources when not in use to avoid unwanted charges. Please see the [Jumpstart FAQ](../../faq/) for more information on consumption costs. - -## Deployment Options and Automation Flow - -ArcBox provides multiple paths for deploying and configuring ArcBox resources. Deployment options include: - -- Azure portal -- ARM template via Azure CLI -- Bicep - -![Deployment flow diagram for ARM-based deployments](./deploymentflow.png) - -ArcBox uses an advanced automation flow to deploy and configure all necessary resources with minimal user interaction. The previous diagrams provide an overview of the deployment flow. A high-level summary of the deployment is: - -- User deploys the primary ARM template (_azuredeploy.json_) or Bicep file (_main.bicep_). These objects contain several nested objects that will run simultaneously. - - ClientVM ARM template/plan - deploys the Client Windows VM. This is the Hyper-V host VM where all user interactions with the environment are made from. - - Storage account template/plan - used for staging files in automation scripts - - Management artifacts template/plan - deploys Azure Log Analytics workspace and solutions and Azure Policy artifacts -- User remotes into Client Windows VM, which automatically kicks off multiple scripts that: - - Deploy and configure five (5) nested virtual machines in Hyper-V - - Windows Server 2022 VM - onboarded as Azure Arc-enabled server - - Windows Server 2019 VM - onboarded as Azure Arc-enabled server - - Windows VM running SQL Server - onboarded as Azure Arc-enabled SQL Server (as well as Azure Arc-enabled server) - - 2 x Ubuntu VMs - onboarded as Azure Arc-enabled servers - - Deploy an Azure Monitor workbook that provides example reports and metrics for monitoring ArcBox components - -## Prerequisites - -- [Install or update Azure CLI to version 2.53.0 and above](https://learn.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest). Use the below command to check your current installed version. - - ```shell - az --version - ``` - -- Login to AZ CLI using the *`az login`* command. - -- Ensure that you have selected the correct subscription you want to deploy ArcBox to by using the *`az account list --query "[?isDefault]"`* command. If you need to adjust the active subscription used by Az CLI, follow [this guidance](https://learn.microsoft.com/cli/azure/manage-azure-subscriptions-azure-cli#change-the-active-subscription). - -- ArcBox must be deployed to one of the following regions. **Deploying ArcBox outside of these regions may result in unexpected results or deployment errors.** - - - East US - - East US 2 - - Central US - - West US 2 - - North Europe - - West Europe - - France Central - - UK South - - Australia East - - Japan East - - Korea Central - - Southeast Asia - -- **ArcBox Full requires 44 B-series and 16 DSv4-series vCPUs** when deploying with default parameters such as VM series/size. Ensure you have sufficient vCPU quota available in your Azure subscription and the region where you plan to deploy ArcBox. You can use the below Az CLI command to check your vCPU utilization. - - ```shell - az vm list-usage --location --output table - ``` - - ![Screenshot showing az vm list-usage](./azvmlistusage.png) - -- Register necessary Azure resource providers by running the following commands. - - ```shell - az provider register --namespace Microsoft.HybridCompute --wait - az provider register --namespace Microsoft.GuestConfiguration --wait - az provider register --namespace Microsoft.Kubernetes --wait - az provider register --namespace Microsoft.KubernetesConfiguration --wait - az provider register --namespace Microsoft.ExtendedLocation --wait - az provider register --namespace Microsoft.AzureArcData --wait - az provider register --namespace Microsoft.OperationsManagement --wait - ``` - -- Create Azure service principal (SP). To deploy ArcBox, an Azure service principal assigned with the _Owner_ Role-based access control (RBAC) role is required. You can use Azure Cloud Shell (or other Bash shell), or PowerShell to create the service principal. - - - (Option 1) Create service principal using [Azure Cloud Shell](https://shell.azure.com/) or Bash shell with Azure CLI: - - ```shell - az login - subscriptionId=$(az account show --query id --output tsv) - az ad sp create-for-rbac -n "" --role "Owner" --scopes /subscriptions/$subscriptionId - ``` - - For example: - - ```shell - az login - subscriptionId=$(az account show --query id --output tsv) - az ad sp create-for-rbac -n "JumpstartArcBoxSPN" --role "Owner" --scopes /subscriptions/$subscriptionId - ``` - - Output should look similar to this: - - ```json - { - "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "displayName": "JumpstartArcBox", - "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", - "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX" - } - ``` - - - (Option 2) Create service principal using PowerShell. If necessary, follow [this documentation](https://learn.microsoft.com/powershell/azure/install-az-ps?view=azps-8.3.0) to install Azure PowerShell modules. - - ```powershell - $account = Connect-AzAccount - $spn = New-AzADServicePrincipal -DisplayName "" -Role "Owner" -Scope "/subscriptions/$($account.Context.Subscription.Id)" - echo "SPN App id: $($spn.AppId)" - echo "SPN secret: $($spn.PasswordCredentials.SecretText)" - ``` - - For example: - - ```powershell - $account = Connect-AzAccount - $spn = New-AzADServicePrincipal -DisplayName "JumpstartArcBoxSPN" -Role "Owner" -Scope "/subscriptions/$($account.Context.Subscription.Id)" - echo "SPN App id: $($spn.AppId)" - echo "SPN secret: $($spn.PasswordCredentials.SecretText)" - ``` - - Output should look similar to this: - - ![Screenshot showing creating an SPN with PowerShell](./create_spn_powershell.png) - - > **Note:** If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password. - - > **Note:** The Jumpstart scenarios are designed with as much ease of use in-mind and adhering to security-related best practices whenever possible. It is optional but highly recommended to scope the service principal to a specific [Azure subscription and resource group](https://learn.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest) as well considering using a [less privileged service principal account](https://learn.microsoft.com/azure/role-based-access-control/best-practices). - -- [Generate a new SSH key pair](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) or use an existing one (Windows 10 and above now comes with a built-in ssh client). The SSH key is used to configure secure access to the Linux virtual machines that are used to run the Kubernetes clusters. - - ```shell - ssh-keygen -t rsa -b 4096 - ``` - - To retrieve the SSH public key after it's been created, depending on your environment, use one of the below methods: - - In Linux, use the `cat ~/.ssh/id_rsa.pub` command. - - In Windows (CMD/PowerShell), use the SSH public key file that by default, is located in the _`C:\Users\WINUSER/.ssh/id_rsa.pub`_ folder. - - SSH public key example output: - - ```shell - ssh-rsa o1djFhyNe5NXyYk7XVF7wOBAAABgQDO/QPJ6IZHujkGRhiI+6s1ngK8V4OK+iBAa15GRQqd7scWgQ1RUSFAAKUxHn2TJPx/Z/IU60aUVmAq/OV9w0RMrZhQkGQz8CHRXc28S156VMPxjk/gRtrVZXfoXMr86W1nRnyZdVwojy2++sqZeP/2c5GoeRbv06NfmHTHYKyXdn0lPALC6i3OLilFEnm46Wo+azmxDuxwi66RNr9iBi6WdIn/zv7tdeE34VAutmsgPMpynt1+vCgChbdZR7uxwi66RNr9iPdMR7gjx3W7dikQEo1djFhyNe5rrejrgjerggjkXyYk7XVF7wOk0t8KYdXvLlIyYyUCk1cOD2P48ArqgfRxPIwepgW78znYuwiEDss6g0qrFKBcl8vtiJE5Vog/EIZP04XpmaVKmAWNCCGFJereRKNFIl7QfSj3ZLT2ZXkXaoLoaMhA71ko6bKBuSq0G5YaMq3stCfyVVSlHs7nzhYsX6aDU6LwM/BTO1c= user@pc - ``` - -## Deployment Option 1: Azure portal - -- Click the button and enter values for the the ARM template parameters. - - ![Screenshot showing Azure portal deployment of ArcBox](./portaldeploy.png) - - ![Screenshot showing Azure portal deployment of ArcBox](./portaldeployinprogress.png) - - ![Screenshot showing Azure portal deployment of ArcBox](./portaldeploymentcomplete.png) - - > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). - -## Deployment Option 2: ARM template with Azure CLI - -- Clone the Azure Arc Jumpstart repository - - ```shell - git clone https://github.com/microsoft/azure_arc.git - ``` - -- Edit the [azuredeploy.parameters.json](https://github.com/microsoft/azure_arc/blob/main/azure_jumpstart_arcbox/ARM/azuredeploy.parameters.json) ARM template parameters file and supply some values for your environment. - - _`sshRSAPublicKey`_ - Your SSH public key - - _`spnClientId`_ - Your Azure service principal id - - _`spnClientSecret`_ - Your Azure service principal secret - - _`spnTenantId`_ - Your Azure tenant id - - _`windowsAdminUsername`_ - Client Windows VM Administrator username - - _`windowsAdminPassword`_ - Client Windows VM Password. Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. The value must be between 12 and 123 characters long. - - _`logAnalyticsWorkspaceName`_ - Unique name for the ArcBox Log Analytics workspace - - _`flavor`_ - Use the value "Full" to specify that you want to deploy the full version of ArcBox - - ![Screenshot showing example parameters](./parameters.png) - -- Now you will deploy the ARM template. Navigate to the local cloned [deployment folder](https://github.com/microsoft/azure_arc/tree/main/azure_jumpstart_arcbox) and run the below command: - - ```shell - az group create --name --location - az deployment group create \ - --resource-group \ - --template-file azuredeploy.json \ - --parameters azuredeploy.parameters.json - ``` - - ![Screenshot showing az group create](./azgroupcreate.png) - - ![Screenshot showing az deployment group create](./azdeploy.png) - - > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). - -## Deployment Option 3: Bicep deployment via Azure CLI - -- Clone the Azure Arc Jumpstart repository - - ```shell - git clone https://github.com/microsoft/azure_arc.git - ``` - -- Upgrade to latest Bicep version - - ```shell - az bicep upgrade - ``` - -- Edit the [main.parameters.json](https://github.com/microsoft/azure_arc/blob/main/azure_jumpstart_arcbox/bicep/main.parameters.json) template parameters file and supply some values for your environment. - - _`sshRSAPublicKey`_ - Your SSH public key - - _`spnClientId`_ - Your Azure service principal id - - _`spnClientSecret`_ - Your Azure service principal secret - - _`spnTenantId`_ - Your Azure tenant id - - _`windowsAdminUsername`_ - Client Windows VM Administrator username - - _`windowsAdminPassword`_ - Client Windows VM Password. Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. The value must be between 12 and 123 characters long. - - _`logAnalyticsWorkspaceName`_ - Unique name for the ArcBox Log Analytics workspace - - _`flavor`_ - Use the value "Full" to specify that you want to deploy the full version of ArcBox - - ![Screenshot showing example parameters](./parameters_bicep.png) - -- Now you will deploy the Bicep file. Navigate to the local cloned [deployment folder](https://github.com/microsoft/azure_arc/tree/main/azure_jumpstart_arcbox/bicep) and run the below command: - - ```shell - az login - az group create --name "" --location "" - az deployment group create -g "" -f "main.bicep" -p "main.parameters.json" - ``` - - > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). - -## Start post-deployment automation - -Once your deployment is complete, you can open the Azure portal and see the ArcBox resources inside your resource group. You will be using the _ArcBox-Client_ Azure virtual machine to explore various capabilities of ArcBox such as GitOps configurations and Key Vault integration. You will need to remotely access _ArcBox-Client_. - - ![Screenshot showing all deployed resources in the resource group](./deployed_resources.png) - - > **Note:** For enhanced ArcBox security posture, RDP (3389) and SSH (22) ports are not open by default in ArcBox deployments. You will need to create a network security group (NSG) rule to allow network access to port 3389, or use [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) or [Just-in-Time (JIT)](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc) access to connect to the VM. - -### Connecting to the ArcBox Client virtual machine - -Various options are available to connect to _ArcBox-Client_ VM, depending on the parameters you supplied during deployment. - -- [RDP](#connecting-directly-with-rdp) - available after configuring access to port 3389 on the _ArcBox-NSG_, or by enabling [Just-in-Time access (JIT)](#connect-using-just-in-time-access-jit). -- [Azure Bastion](#connect-using-azure-bastion) - available if *`true`* was the value of your _`deployBastion`_ parameter during deployment. - -#### Connecting directly with RDP - -By design, ArcBox does not open port 3389 on the network security group. Therefore, you must create an NSG rule to allow inbound 3389. - -- Open the _ArcBox-NSG_ resource in Azure portal and click "Add" to add a new rule. - - ![Screenshot showing ArcBox-Client NSG with blocked RDP](./rdp_nsg_blocked.png) - - ![Screenshot showing adding a new inbound security rule](./nsg_add_rule.png) - -- Specify the IP address that you will be connecting from and select RDP as the service with "Allow" set as the action. You can retrieve your public IP address by accessing [https://icanhazip.com](https://icanhazip.com) or [https://whatismyip.com](https://whatismyip.com). - - Screenshot showing adding a new allow RDP inbound security rule - - ![Screenshot showing all inbound security rule](./rdp_nsg_all_rules.png) - - ![Screenshot showing connecting to the VM using RDP](./rdp_connect.png) - -#### Connect using Azure Bastion - -- If you have chosen to deploy Azure Bastion in your deployment, use it to connect to the VM. - - ![Screenshot showing connecting to the VM using Bastion](./bastion_connect.png) - - > **Note:** When using Azure Bastion, the desktop background image is not visible. Therefore some screenshots in this guide may not exactly match your experience if you are connecting to _ArcBox-Client_ with Azure Bastion. - -#### Connect using just-in-time access (JIT) - -If you already have [Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc) enabled on your subscription and would like to use JIT to access the Client VM, use the following steps: - -- In the Client VM configuration pane, enable just-in-time. This will enable the default settings. - - ![Screenshot showing the Microsoft Defender for cloud portal, allowing RDP on the client VM](./jit_allowing_rdp.png) - - ![Screenshot showing connecting to the VM using RDP](./rdp_connect.png) - - ![Screenshot showing connecting to the VM using JIT](./jit_connect_rdp.png) - -#### The Logon scripts - -- Once you log into the _ArcBox-Client_ VM, multiple automated scripts will open and start running. These scripts usually take 10-20 minutes to finish, and once completed, the script windows will close automatically. At this point, the deployment is complete. - - ![Screenshot showing ArcBox-Client](./automation.png) - -- Deployment is complete! Let's begin exploring the features of Azure Arc with ArcBox! - - ![Screenshot showing complete deployment](./arcbox_complete.png) - - ![Screenshot showing ArcBox resources in Azure portal](./rg_arc.png) - -## Azure Arc-enabled SQL Server onboarding - -- During deployment, a check is performed to determine whether or not the Service Principal being used has permissions of _'Microsoft.Authorization/roleAssignments/write'_ on the target resource group. This permission can be found in the Azure built-in roles of Owner, User Access Administrator, or you may have a custom RBAC role which provides this permission. If the Service Principal has been granted the rights to change the role assignments on the resource group, the Azure Arc-enabled SQL Server can be automatically onboarded as part of the port-deployment automation. - -- In the event that the Service Principal does **not** have _'Microsoft.Authorization/roleAssignments/write'_ on the target resource group, and icon will created on the _ArcBox-Client_ desktop, which will allow you to onboard the Azure Arc-enabled SQL Server after the post-deployment automation is complete. To start the onboarding process in this scenario, simply click the _'Onboard SQL Server'_ icon on the desktop. This process should take around 10-15 minutes to complete. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_icon.png) - -- A pop-up box will walk you through the target SQL Server which will be onboarded to Azure Arc, as well as provide details around the flow of the onboarding automation and how to complete the Azure authentication process when prompted. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_start.png) - -- The automation uses the PowerShell SDK to onboard the Azure Arc-enabled SQL Server on your behalf. To accomplish this, it will login to Azure with the _-UseDeviceAuthentication_ flag. The device code will be copied to the clipboard on your behalf, so you can simply paste the value into box when prompted. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_code.png) - -- You'll then need to provide your Azure credentials to complete the authentication process. The user you login as will need _'Microsoft.Authorization/roleAssignments/write'_ permissions on the ArcBox resource group to complete the onboarding process. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_login.png) - -- The output of each step of the onboarding process will be displayed in the PowerShell script window, so you'll be able to see where the script currently is in the process at all times. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_output.png) - -- Once complete, you'll receive a pop-up notification informing you that the onboarding process is complete, and to check the Azure Arc blade in the Azure portal in the next few minutes. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_complete.png) - -- From the Azure portal, the SQL Server should now be visible as an Azure Arc-enabled SQL Server. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_portal.png) - -## Using ArcBox - -After deployment is complete, its time to start exploring ArcBox. Most interactions with ArcBox will take place either from Azure itself (Azure portal, CLI or similar) or from inside the _ArcBox-Client_ virtual machine. When remoted into the client VM, here are some things to try: - -- Open the Hyper-V Manager to access the ArcBox nested virtual machines, that are onboarded as Azure Arc-enabled servers. -  - - Windows virtual machine credentials: - - ```text - Username: Administrator - Password: ArcDemo123!! - ``` - - Ubuntu virtual machine credentials: - - ```text - Username: arcdemo - Password: ArcDemo123!! - ``` - - ![Screenshot showing ArcBox Client VM with Hyper-V](./hypervterminal.png) - -- Alternately, you can use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Ubuntu virtual machines [using SSH](https://learn.microsoft.com/azure/azure-arc/servers/ssh-arc-overview?tabs=azure-cli). Open a PowerShell session and use the below commands. - - ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal - - $serverName = "ArcBox-Ubuntu-01" - $localUser = "arcdemo" - az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser - ``` - - > **Note:** Server-side SSH is being provisioned asynchronously to the VMs in the automated provisioning scripts, so it might take up to 5 minutes after the ArcBox deployment scripts is finished until the _az ssh_ commands will run successfully. - - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_01.png) - - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_02.png) - -- Following the previous method, you can also use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Windows Server virtual machines via SSH. - - ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal - - $serverName = "ArcBox-Win2K22" - $localUser = "Administrator" - - az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser - ``` - - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_03.png) - - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_04.png) - -- In addition to SSH, you can also use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Windows Server virtual machines using Remote Desktop tunneled via SSH. - - ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal - - $serverName = "ArcBox-Win2K22" - $localUser = "Administrator" - - az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser --rdp - ``` - - ![Screenshot showing usage of Remote Desktop tunnelled via SSH](./rdp_via_az_cli.png) - -- Use the included [kubectx](https://github.com/ahmetb/kubectx) tool to switch Kubernetes contexts between the Rancher K3s and AKS clusters. - - ```shell - kubectx - kubectx arcbox-capi - kubectl get nodes - kubectl get pods -n arc - kubectx arcbox-k3s - kubectl get nodes - ``` - - ![Screenshot showing usage of kubectx](./kubectx.png) - -- Open Azure Data Studio and explore the SQL MI and PostgreSQL instances. - - ![Screenshot showing Azure Data Studio usage](./azdatastudio.png) - -### ArcBox Azure Monitor workbook - -Open the [ArcBox Azure Monitor workbook documentation](/azure_jumpstart_arcbox/workbook/flavors/Full) and explore the visualizations and reports of hybrid cloud resources. - - ![Screenshot showing Azure Monitor workbook usage](./workbook.png) - -### Azure Arc-enabled data services operations - -Open the [data services operations page](/azure_jumpstart_arcbox/data_ops/) and explore various ways you can perform operations against the Azure Arc-enabled data services deployed with ArcBox. - - ![Screenshot showing Grafana dashboard](./activity1.png) - -### Arc-enabled SQL Server - Best practices assessment - -As part of the ArcBox deployment, SQL Server best practices assessment is configured and run. Open _ArcBox-SQL_ Arc-enabled SQL Server resource from the resource group deployed or Azure Arc service blade to view SQL Server best practice assessment results. - -- The following screenshot shows the SQL Server best practices assessment page and the scheduled and previously ran assessments. If this page does not show assessment results click on the Refresh button to show assessments. Once displayed the assessments and results click on _View assessment_ results to see results. - - ![Screenshot showing SQL Server best practices assessment configuration](./sql-pba-view-results.png) - - ![Screenshot showing SQL Server best practices assessment results part 1](./sql-bpa-results-1.png) - - ![Screenshot showing SQL Server best practices assessment results part 2](./sql-bpa-results-2.png) - -### Microsoft Defender for Cloud - SQL servers on machines - -This section guides you through different settings for enabling Microsoft Defender for Cloud - SQL servers on machines. Most of these settings are already enabled during the logon script execution after logging in to _ArcBox-Client_ Azure VM. Even though these are pre-configured there might be delays in showing them in the Azure portal. - -- Following are the settings of Microsoft Defender for Cloud - SQL servers on machines configured using automation scripts and can be reviewed in Azure portal. - - ![Screenshot showing Microsoft Defender for Cloud plans](./microsoft-defender-plans.png) - - ![Screenshot showing Microsoft Defender for Cloud SQL enabled](./defender-sql-plan.png) - -- The below screenshots show Arc-enabled SQL Server Defender for Cloud enablement and protection status. Defender for Cloud for SQL Server is enabled at the subscription level, but the protection status is still showing as not enabled. - -Please note it may take some time to show this status in the Azure portal, but still able to detect SQL threats generated by the test scripts. - - ![Screenshot showing Microsoft Defender for Cloud - Arc-enabled SQL server status](./sql-defender-status.png) - -- The below screenshot shows the SQL threats detected by Microsoft Defender for Cloud. - - ![Screenshot showing Defender for SQL security incidents and alerts](./sql-defender-incidents.png) - - > **Note:** Once in a while executing Defender for SQL test script (_testDefenderForSQL.ps1_) may fail due to delays in deploying SQLAdvancedThreatProtection Log Analytics solution and may not generate security incidents and alerts. If you do not find these security incidents and alerts, log in to nested SQL server VM _ArcBox-SQL_ in Hyper-V and execute the test script manually as shown below. - -- The below screenshot shows the test script used to generate SQL threats, detect, and alert using Defender for Cloud for SQL servers. This script is copied on the nested _ArcBox-SQL_ Hyper-V virtual machine and can be used to run additional tests to generate security incidents and alerts. - - ![Screenshot showing Defender for SQL test scripts](./sql-defender-testing-script.png) - -- Open PowerShell window and change directory to _C:\ArcBox\agentScript_ folder and run _testDefenderForSQL.ps1_ PowerShell script to generate Defender for SQL incidents and alerts. - - ![Screenshot showing manual execution of the test scripts](./manual-brute-force-test.png) - -- The below screenshot shows an email alert sent by Defender for Cloud when a SQL threat is detected. By default, this email is sent to the registered contact email at the subscription level. - ![Screenshot showing test script results](./brute-force-attack-alert.png) - -### AdventureWorks API and Azure API Management - -This section guides you through deploying the AdventureWorks WebAPI workload on the _ArcBox-K3s_ cluster together with [Azure API Management (APIM)](https://learn.microsoft.com/azure/api-management/). This allows you to run workloads with intermittent internet connectivity and centralizes the control plane to align with other Azure Arc resource management. Example use cases include: - -- A farm in a rural area where data can be captured on-site to be synchronized to Azure for analysis with Azure Fabric. -- A sport venue where ticket operation and data retention needs to remain onsite. - -Start deployment by running the following PowerShell command: - -``` powershell - C:\ArcBox\DeployAPIM.ps1 -``` - -The following tasks will be performed by the deployment: - - Deploy AdventureWorks API to _ArcBox-K3s_. - - Set the backend of the AdventureWorks API to AdventureWorks SQL Managed Instance. - - Deploy Azure API Management with the self-hosted gateway. - - Deploy self-hosted gateway to the K3s. - - Configure the connectivity from Azure API Management, self-hosted gateway, and AdventureWorks API. - -- Deployment will finish show the following message: - ![Screenshot showing terminal output of the deployment ](./apim_01_deploymentcomplete.png) - -- Get the IP address for the self-hosted gateway: - - ``` powershell - C:\ArcBox\arcdemo\kubectl get svc - ``` - -- The self-hosted gateway IP should look similar to the following screenshot: - ![Screenshot showing Terminal screenshot show IP of the self host agent service ](./apim_02_selfhost_ip.png) - -- AdventureWorks API can be tested using the IP (http://{gateway IP}/adventurework/api/customers) -![Screenshot showing terminal output of the deployment ](./apim_10_request.png) - -### Included tools - -The following tools are included in the _ArcBox-Client_ VM. - -- Azure Data Studio with Arc and PostgreSQL extensions -- kubectl, kubectx, helm -- Chocolatey -- Visual Studio Code -- Putty -- 7zip -- Git -- SqlQueryStress - -### Next steps - -ArcBox is a sandbox that can be used for a large variety of use cases, such as an environment for testing and training or a kickstarter for proof of concept projects. Ultimately, you are free to do whatever you wish with ArcBox. Some suggested next steps for you to try in your ArcBox are: - -- Deploy sample databases to the PostgreSQL instance or to the SQL Managed Instance -- Use the included kubectx to switch contexts between the two Kubernetes clusters -- Deploy GitOps configurations with Azure Arc-enabled Kubernetes -- Build policy initiatives that apply to your Azure Arc-enabled resources -- Write and test custom policies that apply to your Azure Arc-enabled resources -- Incorporate your own tooling and automation into the existing automation framework -- Build a certificate/secret/key management strategy with your Azure Arc resources - -Do you have an interesting use case to share? [Submit an issue](https://aka.ms/JumpstartIssue) on GitHub with your idea and we will consider it for future releases! - -## Clean up the deployment - -To clean up your deployment, simply delete the resource group using Azure CLI or Azure portal. - -```shell -az group delete -n -``` - -![Screenshot showing az group delete](./azdelete.png) - -![Screenshot showing group delete from Azure portal](./portaldelete.png) - -## Basic troubleshooting - -Occasionally deployments of ArcBox may fail at various stages. Common reasons for failed deployments include: - -- Invalid service principal id, service principal secret or service principal Azure tenant ID provided in _azuredeploy.parameters.json_ file. -- Invalid SSH public key provided in _azuredeploy.parameters.json_ file. - - An example SSH public key is shown here. Note that the public key includes "ssh-rsa" at the beginning. The entire value should be included in your _azuredeploy.parameters.json_ file. - - ![Screenshot showing SSH public key example](./ssh_example.png) - -- Not enough vCPU quota available in your target Azure region - check vCPU quota and ensure you have at least 52 available. See the [prerequisites](#prerequisites) section for more details. -- Target Azure region does not support all required Azure services - ensure you are running ArcBox in one of the supported regions listed in the above section "ArcBox Azure Region Compatibility". -- "BadRequest" error message when deploying - this error returns occasionally when the Log Analytics solutions in the ARM templates are deployed. Typically, waiting a few minutes and re-running the same deployment resolves the issue. Alternatively, you can try deploying to a different Azure region. - - ![Screenshot showing BadRequest errors in Az CLI](./error_badrequest.png) - - ![Screenshot showing BadRequest errors in Azure portal](./error_badrequest2.png) - -### Exploring logs from the _ArcBox-Client_ virtual machine - -Occasionally, you may need to review log output from scripts that run on the _ArcBox-Client_, _ArcBox-CAPI-MGMT_ or _ArcBox-K3s_ virtual machines in case of deployment failures. To make troubleshooting easier, the ArcBox deployment scripts collect all relevant logs in the _C:\ArcBox\Logs_ folder on _ArcBox-Client_. A short description of the logs and their purpose can be seen in the list below: - -| Log file | Description | -| ------- | ----------- | -| _C:\ArcBox\Logs\Bootstrap.log_ | Output from the initial bootstrapping script that runs on _ArcBox-Client_. | -| _C:\ArcBox\Logs\ArcServersLogonScript.log_ | Output of _ArcServersLogonScript.ps1_ which configures the Hyper-V host and guests and onboards the guests as Azure Arc-enabled servers. | -| _C:\ArcBox\Logs\DataServicesLogonScript.log_ | Output of _DataServicesLogonScript.ps1_ which configures Azure Arc-enabled data services baseline capability. | -| _C:\ArcBox\Logs\deployPostgreSQL.log_ | Output of _deployPostgreSQL.ps1_ which deploys and configures PostgreSQL with Azure Arc. | -| _C:\ArcBox\Logs\deploySQL.log_ | Output of _deploySQL.ps1_ which deploys and configures SQL Managed Instance with Azure Arc. | -| _C:\ArcBox\Logs\installCAPI.log_ | Output from the custom script extension which runs on _ArcBox-CAPI-MGMT_ and configures the Cluster API for Azure cluster and onboards it as an Azure Arc-enabled Kubernetes cluster. If you encounter ARM deployment issues with _ubuntuCapi.json_ then review this log. | -| _C:\ArcBox\Logs\installK3s.log_ | Output from the custom script extension which runs on _ArcBox-K3s_ and configures the Rancher cluster and onboards it as an Azure Arc-enabled Kubernetes cluster. If you encounter ARM deployment issues with _ubuntuRancher.json_ then review this log. | -| _C:\ArcBox\Logs\MonitorWorkbookLogonScript.log_ | Output from _MonitorWorkbookLogonScript.ps1_ which deploys the Azure Monitor workbook. | -| _C:\ArcBox\Logs\SQLMIEndpoints.log_ | Output from _SQLMIEndpoints.ps1_ which collects the service endpoints for SQL MI and uses them to configure Azure Data Studio connection settings. | - - ![Screenshot showing ArcBox logs folder on ArcBox-Client](./troubleshoot_logs.png) - -### Exploring installation logs from the Linux virtual machines - -In the case of a failed deployment, pointing to a failure in either the _ubuntuRancherDeployment_ or the _ubuntuCAPIDeployment_ Azure deployments, an easy way to explore the deployment logs is available directly from the associated virtual machines. - - ![Screenshot showing failed deployments](./failed_deployments.png) - -- Depends on which deployment failed, connect using SSH to the associated virtual machine public IP: - - _ubuntuCAPIDeployment_ - _ArcBox-CAPI-MGMT_ virtual machine. - - _ubuntuRancherDeployment_ - _ArcBox-K3s_ virtual machine. - - Since you are logging in using the provided SSH public key, all you need is the _arcdemo_ username. - - ![Screenshot showing ArcBox-CAPI-MGMT virtual machine public IP](./arcbox_capi_mgmt_vm_ip.png) - - ![Screenshot showing ArcBox-K3s virtual machine public IP](./arcbox_k3s_vm_ip.png) - -- As described in the message of the day (motd), depends on which virtual machine you logged into, the installation log can be found in the _jumpstart_logs_ folder. This installation logs can help determine the root cause for the failed deployment. - - _ArcBox-CAPI-MGMT_ log path: _jumpstart_logs/installCAPI.log_ - - _ArcBox-K3s_ log path: _jumpstart_logs/installK3s.log_ - - ![Screenshot showing login and the message of the day](./login_motd.png) - -- From the screenshot below, looking at _ArcBox-CAPI-MGMT_ virtual machine CAPI installation log using the `cat jumpstart_logs/installCAPI.log` command, we can see the _az login_ command failed due to bad service principal credentials. - - ![Screenshot showing cat command for showing installation log](./cat_command.png) - - ![Screenshot showing az login error](./az_login_error.png) - -- You might randomly get a similar error in the _InstallCAPI.log_ to `Error from server (InternalError): error when creating "template.yaml": Internal error occurred: failed calling webhook "default.azuremachinetemplate.infrastructure.cluster.x-k8s.io": failed to call webhook: Post "https://capz-webhook-service.capz-system.svc:443/mutate-infrastructure-cluster-x-k8s-io-v1beta1-azuremachinetemplate?timeout=10s": EOF`. This is an issue we are currently investigating. To resolve please redeploy ArcBox. - -If you are still having issues deploying ArcBox, please [submit an issue](https://aka.ms/JumpstartIssue) on GitHub and include a detailed description of your issue, the Azure region you are deploying to, the flavor of ArcBox you are trying to deploy. Inside the _C:\ArcBox\Logs_ folder you can also find instructions for uploading your logs to an Azure storage account for review by the Jumpstart team. diff --git a/docs/azure_jumpstart_arcbox/Full/activity1.png b/docs/azure_jumpstart_arcbox/Full/activity1.png deleted file mode 100644 index 97f36e43..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/activity1.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/apim_01_deploymentcomplete.png b/docs/azure_jumpstart_arcbox/Full/apim_01_deploymentcomplete.png deleted file mode 100644 index cb63d639..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/apim_01_deploymentcomplete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/apim_02_selfhost_ip.png b/docs/azure_jumpstart_arcbox/Full/apim_02_selfhost_ip.png deleted file mode 100644 index 0d9e8773..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/apim_02_selfhost_ip.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/apim_10_request.png b/docs/azure_jumpstart_arcbox/Full/apim_10_request.png deleted file mode 100644 index 05901af5..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/apim_10_request.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/arcbox_capi_mgmt_vm_ip.png b/docs/azure_jumpstart_arcbox/Full/arcbox_capi_mgmt_vm_ip.png deleted file mode 100644 index 5603f351..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/arcbox_capi_mgmt_vm_ip.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/arcbox_complete.png b/docs/azure_jumpstart_arcbox/Full/arcbox_complete.png deleted file mode 100644 index 4899d81d..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/arcbox_complete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/arcbox_k3s_vm_ip.png b/docs/azure_jumpstart_arcbox/Full/arcbox_k3s_vm_ip.png deleted file mode 100644 index 0f78ccc3..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/arcbox_k3s_vm_ip.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/arch_capi.png b/docs/azure_jumpstart_arcbox/Full/arch_capi.png deleted file mode 100644 index c9108497..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/arch_capi.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/arch_full.png b/docs/azure_jumpstart_arcbox/Full/arch_full.png deleted file mode 100644 index f918f552..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/arch_full.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation.png b/docs/azure_jumpstart_arcbox/Full/automation.png deleted file mode 100644 index 48ac0db7..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation1.png b/docs/azure_jumpstart_arcbox/Full/automation1.png deleted file mode 100644 index 9c94da93..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation1.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation2.png b/docs/azure_jumpstart_arcbox/Full/automation2.png deleted file mode 100644 index 640590bb..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation2.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation3.png b/docs/azure_jumpstart_arcbox/Full/automation3.png deleted file mode 100644 index 2eb64cf7..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation3.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation4.png b/docs/azure_jumpstart_arcbox/Full/automation4.png deleted file mode 100644 index 5ba753b4..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation4.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/automation5.png b/docs/azure_jumpstart_arcbox/Full/automation5.png deleted file mode 100644 index 2d5538d3..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/automation5.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/az_login_error.png b/docs/azure_jumpstart_arcbox/Full/az_login_error.png deleted file mode 100644 index 5aec01ee..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/az_login_error.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azdatastudio.png b/docs/azure_jumpstart_arcbox/Full/azdatastudio.png deleted file mode 100644 index d79dac3e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azdatastudio.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azdatausage.png b/docs/azure_jumpstart_arcbox/Full/azdatausage.png deleted file mode 100644 index e37c95b5..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azdatausage.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azdelete.png b/docs/azure_jumpstart_arcbox/Full/azdelete.png deleted file mode 100644 index 25aacfd2..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azdelete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azdeploy.png b/docs/azure_jumpstart_arcbox/Full/azdeploy.png deleted file mode 100644 index 3c82bdf9..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azdeploy.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azgroupcreate.png b/docs/azure_jumpstart_arcbox/Full/azgroupcreate.png deleted file mode 100644 index 23449c83..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azgroupcreate.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/azvmlistusage.png b/docs/azure_jumpstart_arcbox/Full/azvmlistusage.png deleted file mode 100644 index d8daa3b6..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/azvmlistusage.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/bastion_connect.png b/docs/azure_jumpstart_arcbox/Full/bastion_connect.png deleted file mode 100644 index 121913c1..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/bastion_connect.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/brute-force-attack-alert.png b/docs/azure_jumpstart_arcbox/Full/brute-force-attack-alert.png deleted file mode 100644 index 6d73898a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/brute-force-attack-alert.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/cat_command.png b/docs/azure_jumpstart_arcbox/Full/cat_command.png deleted file mode 100644 index 3a81b15a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/cat_command.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/clientscript.png b/docs/azure_jumpstart_arcbox/Full/clientscript.png deleted file mode 100644 index 203511d0..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/clientscript.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/create_spn_powershell.png b/docs/azure_jumpstart_arcbox/Full/create_spn_powershell.png deleted file mode 100644 index 5b77a156..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/create_spn_powershell.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/customlocationerror.png b/docs/azure_jumpstart_arcbox/Full/customlocationerror.png deleted file mode 100644 index 74229457..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/customlocationerror.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/dataservices.png b/docs/azure_jumpstart_arcbox/Full/dataservices.png deleted file mode 100644 index 3af0ac22..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/dataservices.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/dataservices2.png b/docs/azure_jumpstart_arcbox/Full/dataservices2.png deleted file mode 100644 index 4d93602e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/dataservices2.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/defender-sql-plan.png b/docs/azure_jumpstart_arcbox/Full/defender-sql-plan.png deleted file mode 100644 index d4f90831..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/defender-sql-plan.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/deployed_resources.png b/docs/azure_jumpstart_arcbox/Full/deployed_resources.png deleted file mode 100644 index bccefed2..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/deployed_resources.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/deploymentflow.png b/docs/azure_jumpstart_arcbox/Full/deploymentflow.png deleted file mode 100644 index 1d04e0b8..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/deploymentflow.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/deploymentflow_tf.png b/docs/azure_jumpstart_arcbox/Full/deploymentflow_tf.png deleted file mode 100644 index 3732abde..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/deploymentflow_tf.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/error_badrequest.png b/docs/azure_jumpstart_arcbox/Full/error_badrequest.png deleted file mode 100644 index debecc54..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/error_badrequest.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/error_badrequest2.png b/docs/azure_jumpstart_arcbox/Full/error_badrequest2.png deleted file mode 100644 index 7532b885..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/error_badrequest2.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/failed_deployments.png b/docs/azure_jumpstart_arcbox/Full/failed_deployments.png deleted file mode 100644 index f6cb158c..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/failed_deployments.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/hypervterminal.png b/docs/azure_jumpstart_arcbox/Full/hypervterminal.png deleted file mode 100644 index 157695cd..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/hypervterminal.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/jit_allowing_rdp.png b/docs/azure_jumpstart_arcbox/Full/jit_allowing_rdp.png deleted file mode 100644 index 69eca956..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/jit_allowing_rdp.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/jit_connect_rdp.png b/docs/azure_jumpstart_arcbox/Full/jit_connect_rdp.png deleted file mode 100644 index 8d20aa0b..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/jit_connect_rdp.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/k8s.png b/docs/azure_jumpstart_arcbox/Full/k8s.png deleted file mode 100644 index 243a41a7..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/k8s.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/kubectx.png b/docs/azure_jumpstart_arcbox/Full/kubectx.png deleted file mode 100644 index 74b68d5e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/kubectx.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/list_skus.png b/docs/azure_jumpstart_arcbox/Full/list_skus.png deleted file mode 100644 index 7e4b7e13..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/list_skus.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/list_skus_unrestricted.png b/docs/azure_jumpstart_arcbox/Full/list_skus_unrestricted.png deleted file mode 100644 index 4e5ac1f0..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/list_skus_unrestricted.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/login_motd.png b/docs/azure_jumpstart_arcbox/Full/login_motd.png deleted file mode 100644 index 0ea662c6..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/login_motd.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/manual-brute-force-test.png b/docs/azure_jumpstart_arcbox/Full/manual-brute-force-test.png deleted file mode 100644 index 1b428a31..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/manual-brute-force-test.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/microsoft-defender-plans.png b/docs/azure_jumpstart_arcbox/Full/microsoft-defender-plans.png deleted file mode 100644 index f2bd2b7b..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/microsoft-defender-plans.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/nsg_add_rdp_rule.png b/docs/azure_jumpstart_arcbox/Full/nsg_add_rdp_rule.png deleted file mode 100644 index 5374ea53..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/nsg_add_rdp_rule.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/nsg_add_rule.png b/docs/azure_jumpstart_arcbox/Full/nsg_add_rule.png deleted file mode 100644 index ff63207e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/nsg_add_rule.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/parameters _bicep.png b/docs/azure_jumpstart_arcbox/Full/parameters _bicep.png deleted file mode 100644 index f537f53e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/parameters _bicep.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/parameters.png b/docs/azure_jumpstart_arcbox/Full/parameters.png deleted file mode 100644 index f537f53e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/parameters.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/parameters_bicep.png b/docs/azure_jumpstart_arcbox/Full/parameters_bicep.png deleted file mode 100644 index 1db7d88a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/parameters_bicep.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/portaldelete.png b/docs/azure_jumpstart_arcbox/Full/portaldelete.png deleted file mode 100644 index d88b04ca..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/portaldelete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/portaldeploy.png b/docs/azure_jumpstart_arcbox/Full/portaldeploy.png deleted file mode 100644 index a3c3773f..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/portaldeploy.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/portaldeployinprogress.png b/docs/azure_jumpstart_arcbox/Full/portaldeployinprogress.png deleted file mode 100644 index d0474d61..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/portaldeployinprogress.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/portaldeploymentcomplete.png b/docs/azure_jumpstart_arcbox/Full/portaldeploymentcomplete.png deleted file mode 100644 index 633fa308..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/portaldeploymentcomplete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/rdp_connect.png b/docs/azure_jumpstart_arcbox/Full/rdp_connect.png deleted file mode 100644 index 18fddbd9..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/rdp_connect.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/rdp_nsg_all_rules.png b/docs/azure_jumpstart_arcbox/Full/rdp_nsg_all_rules.png deleted file mode 100644 index 67173d90..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/rdp_nsg_all_rules.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/rdp_nsg_blocked.png b/docs/azure_jumpstart_arcbox/Full/rdp_nsg_blocked.png deleted file mode 100644 index b90a211d..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/rdp_nsg_blocked.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/rdp_via_az_cli.png b/docs/azure_jumpstart_arcbox/Full/rdp_via_az_cli.png deleted file mode 100644 index 00afb27e..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/rdp_via_az_cli.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/rg_arc.png b/docs/azure_jumpstart_arcbox/Full/rg_arc.png deleted file mode 100644 index 12cc7464..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/rg_arc.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/servers.png b/docs/azure_jumpstart_arcbox/Full/servers.png deleted file mode 100644 index 3848ac74..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/servers.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-1.png b/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-1.png deleted file mode 100644 index 50d8792a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-1.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-2.png b/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-2.png deleted file mode 100644 index 080edfda..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-bpa-results-2.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-defender-incidents.png b/docs/azure_jumpstart_arcbox/Full/sql-defender-incidents.png deleted file mode 100644 index 3ec6dc0f..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-defender-incidents.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-defender-status.png b/docs/azure_jumpstart_arcbox/Full/sql-defender-status.png deleted file mode 100644 index 50f91195..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-defender-status.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-defender-testing-script.png b/docs/azure_jumpstart_arcbox/Full/sql-defender-testing-script.png deleted file mode 100644 index 61ead025..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-defender-testing-script.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql-pba-view-results.png b/docs/azure_jumpstart_arcbox/Full/sql-pba-view-results.png deleted file mode 100644 index 9061203c..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql-pba-view-results.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_code.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_code.png deleted file mode 100644 index edcb0d15..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_code.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_complete.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_complete.png deleted file mode 100644 index c801ec96..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_complete.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_icon.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_icon.png deleted file mode 100644 index 663f6481..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_icon.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_login.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_login.png deleted file mode 100644 index d17c6c1a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_login.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_output.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_output.png deleted file mode 100644 index 178f096a..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_output.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_portal.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_portal.png deleted file mode 100644 index 9ccfbec7..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_portal.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_start.png b/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_start.png deleted file mode 100644 index 6d0b242b..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/sql_manual_onboard_start.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/ssh_example.png b/docs/azure_jumpstart_arcbox/Full/ssh_example.png deleted file mode 100644 index eb136720..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/ssh_example.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_01.png b/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_01.png deleted file mode 100644 index 15d98874..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_01.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_02.png b/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_02.png deleted file mode 100644 index 8a79020d..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_02.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_03.png b/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_03.png deleted file mode 100644 index fa332232..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_03.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_04.png b/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_04.png deleted file mode 100644 index 1d4a8f8b..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/ssh_via_az_cli_04.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/troubleshoot_logs.png b/docs/azure_jumpstart_arcbox/Full/troubleshoot_logs.png deleted file mode 100644 index b12e03dd..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/troubleshoot_logs.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/unifiedops.png b/docs/azure_jumpstart_arcbox/Full/unifiedops.png deleted file mode 100644 index eccedf88..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/unifiedops.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/Full/workbook.png b/docs/azure_jumpstart_arcbox/Full/workbook.png deleted file mode 100644 index 5576dd20..00000000 Binary files a/docs/azure_jumpstart_arcbox/Full/workbook.png and /dev/null differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/_index.md b/docs/azure_jumpstart_arcbox/ITPro/_index.md index 9ba4945e..6d5ec22c 100644 --- a/docs/azure_jumpstart_arcbox/ITPro/_index.md +++ b/docs/azure_jumpstart_arcbox/ITPro/_index.md @@ -106,37 +106,6 @@ ArcBox uses an advanced automation flow to deploy and configure all necessary re az provider register --namespace Microsoft.OperationsManagement --wait ``` -- [Generate a new SSH key pair](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) or use an existing one (Windows 10 and above now comes with a built-in ssh client). The SSH key is used to configure secure access to the Linux virtual machines that are used to run the Kubernetes clusters. - - ```shell - ssh-keygen -t rsa -b 4096 - ``` - - To retrieve the SSH public key after it's been created, depending on your environment, use one of the below methods: - - In Linux, use the `cat ~/.ssh/id_rsa.pub` command. - - In Windows (CMD/PowerShell), use the SSH public key file that by default, is located in the _`C:\Users\WINUSER/.ssh/id_rsa.pub`_ folder. - - SSH public key example output: - - ```shell - ssh-rsa o1djFhyNe5NXyYk7XVF7wOBAAABgQDO/QPJ6IZHujkGRhiI+6s1ngK8V4OK+iBAa15GRQqd7scWgQ1RUSFAAKUxHn2TJPx/Z/IU60aUVmAq/OV9w0RMrZhQkGQz8CHRXc28S156VMPxjk/gRtrVZXfoXMr86W1nRnyZdVwojy2++sqZeP/2c5GoeRbv06NfmHTHYKyXdn0lPALC6i3OLilFEnm46Wo+azmxDuxwi66RNr9iBi6WdIn/zv7tdeE34VAutmsgPMpynt1+vCgChbdZR7uxwi66RNr9iPdMR7gjx3W7dikQEo1djFhyNe5rrejrgjerggjkXyYk7XVF7wOk0t8KYdXvLlIyYyUCk1cOD2P48ArqgfRxPIwepgW78znYuwiEDss6g0qrFKBcl8vtiJE5Vog/EIZP04XpmaVKmAWNCCGFJereRKNFIl7QfSj3ZLT2ZXkXaoLoaMhA71ko6bKBuSq0G5YaMq3stCfyVVSlHs7nzhYsX6aDU6LwM/BTO1c= user@pc - ``` - -- ArcBox must be deployed to one of the following regions. **Deploying ArcBox outside of these regions may result in unexpected results or deployment errors.** - - - East US - - East US 2 - - Central US - - West US 2 - - North Europe - - West Europe - - France Central - - UK South - - Australia East - - Japan East - - Korea Central - - Southeast Asia - ## Deployment Option 1: Azure portal - Click the button and enter values for the the ARM template parameters. @@ -149,7 +118,7 @@ ArcBox uses an advanced automation flow to deploy and configure all necessary re > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). -## Deployment Option 2: Bicep deployment via Azure CLI +## Deployment Option 2: Bicep deployment - Clone the Azure Arc Jumpstart repository @@ -164,7 +133,6 @@ ArcBox uses an advanced automation flow to deploy and configure all necessary re ``` - Edit the [main.bicepparam](https://github.com/microsoft/azure_arc/blob/main/azure_jumpstart_arcbox/bicep/main.bicepparam) template parameters file and supply values for your environment. - - _`sshRSAPublicKey`_ - Your SSH public key - _`tenantId`_ - Your Azure tenant id - _`windowsAdminUsername`_ - Client Windows VM Administrator username - _`windowsAdminPassword`_ - Client Windows VM Password. Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. The value must be between 12 and 123 characters long. @@ -175,7 +143,9 @@ ArcBox uses an advanced automation flow to deploy and configure all necessary re ![Screenshot showing example parameters](./parameters_itpro_bicep.png) -- Now you will deploy the Bicep file. Navigate to the local cloned [deployment folder](https://github.com/microsoft/azure_arc/tree/main/azure_jumpstart_arcbox/bicep) and run the below command: +- Now you will deploy the Bicep file. Navigate to the local cloned [deployment folder](https://github.com/microsoft/azure_arc/tree/main/azure_jumpstart_arcbox/bicep) and run the below commands: + +### Bicep deployment option 1: Azure CLI ```shell az login @@ -183,15 +153,28 @@ ArcBox uses an advanced automation flow to deploy and configure all necessary re az deployment group create -g "" -f "main.bicep" -p "main.bicepparam" ``` - > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). +### Bicep deployment option 2: Azure PowerShell + + ```shell + Connect-AzAccount + + $RGname = "" + $Location= "" + + New-AzResourceGroup -Name $RGname -Location $location + + New-AzResourceGroupDeployment -Name arcbox -ResourceGroupName $RGname -TemplateFile "./main.bicep" -TemplateParameterFile "./main.bicepparam" + ``` + + > **Note:** If you see any failure in the deployment, please check the [troubleshooting guide](#basic-troubleshooting). ## Start post-deployment automation -Once your deployment is complete, you can open the Azure portal and see the ArcBox resources inside your resource group. You will be using the _ArcBox-Client_ Azure virtual machine to explore various capabilities of ArcBox such as GitOps configurations and Key Vault integration. You will need to remotely access _ArcBox-Client_. +Once your deployment is complete, you can open the Azure portal and see the ArcBox resources inside your resource group. You will be using the _ArcBox-Client_ Azure virtual machine to explore various capabilities of ArcBox such as SSH access to Arc-enabled Server and Azure Update Manager. You will need to remotely access _ArcBox-Client_. ![Screenshot showing all deployed resources in the resource group](./deployed_resources.png) - > **Note:** For enhanced ArcBox security posture, RDP (3389) and SSH (22) ports are not open by default in ArcBox deployments. You will need to create a network security group (NSG) rule to allow network access to port 3389, or use [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) or [Just-in-Time (JIT)](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc) access to connect to the VM. + > **Note:** For enhanced ArcBox security posture, RDP (3389) port are not open by default in ArcBox deployments. You will need to create a network security group (NSG) rule to allow network access to port 3389, or use [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) or [Just-in-Time (JIT)](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc) access to connect to the VM. ### Connecting to the ArcBox Client virtual machine @@ -240,7 +223,7 @@ If you already have [Microsoft Defender for Cloud](https://learn.microsoft.com/a #### The Logon scripts -- Once you log into the _ArcBox-Client_ VM, multiple automated scripts will open and start running. These scripts usually take 10-20 minutes to finish, and once completed, the script windows will close automatically. At this point, the deployment is complete. +- Once you log into the _ArcBox-Client_ VM, multiple automated scripts will open and start running. Unless you have overriden the `vmAutologon` parameter in the parameters-file, the VM will automatically launch the logon scripts directly after the Azure-deployment has completed without waiting for a user to manually logon. These scripts usually take 10-20 minutes to finish, and once completed, the script windows will close automatically. ![Screenshot showing ArcBox-Client](./automation.png) @@ -248,33 +231,9 @@ If you already have [Microsoft Defender for Cloud](https://learn.microsoft.com/a ![Screenshot showing complete deployment](./arcbox_complete.png) - ![Screenshot showing ArcBox resources in Azure portal](./rg_arc.png) - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_icon.png) - -- A pop-up box will walk you through the target SQL Server which will be onboarded to Azure Arc, as well as provide details around the flow of the onboarding automation and how to complete the Azure authentication process when prompted. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_start.png) - -- The automation uses the PowerShell SDK to onboard the Azure Arc-enabled SQL Server on your behalf. To accomplish this, it will login to Azure with the _-UseDeviceAuthentication_ flag. The device code will be copied to the clipboard on your behalf, so you can simply paste the value into box when prompted. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_code.png) - -- You'll then need to provide your Azure credentials to complete the authentication process. The user you login as will need _'Microsoft.Authorization/roleAssignments/write'_ permissions on the ArcBox resource group to complete the onboarding process. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_login.png) - -- The output of each step of the onboarding process will be displayed in the PowerShell script window, so you'll be able to see where the script currently is in the process at all times. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_output.png) - -- Once complete, you'll receive a pop-up notification informing you that the onboarding process is complete, and to check the Azure Arc blade in the Azure portal in the next few minutes. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_complete.png) +Before you move on, make sure to verify that the deployment status shown on the desktop background does not indicate any failures. If so, inspect the log files in the ArcBox logs-directory by navigating to the desktop shortcut *Logs*. For more information about troubleshooting, please check the [troubleshooting guide](#basic-troubleshooting) -- From the Azure portal, the SQL Server should now be visible as an Azure Arc-enabled SQL Server. - - ![Screenshot showing ArcBox-Client](./sql_manual_onboard_portal.png) + ![Screenshot showing ArcBox resources in Azure portal](./rg_arc.png) ## Using ArcBox for IT Pros @@ -287,38 +246,55 @@ After deployment is complete, its time to start exploring ArcBox. Most interacti ```text Username: Administrator - Password: ArcDemo123!! + Password: JS123!! ``` Ubuntu virtual machine credentials: ```text - Username: arcdemo - Password: ArcDemo123!! + Username: jumpstart + Password: JS123!! ``` ![Screenshot showing ArcBox Client VM with Hyper-V](./hypervterminal.png) -- Alternately, you can use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Ubuntu virtual machines [using SSH](https://learn.microsoft.com/azure/azure-arc/servers/ssh-arc-overview?tabs=azure-cli). Open a PowerShell session and use the below commands. +## SSH access to Azure Arc-enabled servers + +[SSH for Arc-enabled servers](https://learn.microsoft.com/azure/azure-arc/servers/ssh-arc-overview) enables SSH based connections to Arc-enabled servers without requiring a public IP address or additional open ports. This functionality can be used interactively, automated, or with existing SSH based tooling, allowing existing management tools to have a greater impact on Azure Arc-enabled servers. - ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal +You can use Azure CLI or Azure PowerShell to connect to one of the Azure Arc-enabled servers using SSH. Open a PowerShell session and use the below commands. +1. From the _ArcBox-Client_ VM, open a PowerShell session in Windows Terminal and use the below commands to connect to **ArcBox-Ubuntu-01** using SSH: + +**Azure CLI** + + ```shell $serverName = "ArcBox-Ubuntu-01" - $localUser = "arcdemo" + $localUser = "jumpstart" + az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser - ``` + ``` + + ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_01.png) + +> **Note:** You are not prompted for a password since ArcBox includes an SSH key-pair installed on ArcBox client VM and the hybrid Linux VMs. + +or - > **Note:** Server-side SSH is being provisioned asynchronously to the VMs in the automated provisioning scripts, so it might take up to 5 minutes after the ArcBox deployment scripts is finished until the _az ssh_ commands will run successfully. +**Azure PowerShell** - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_01.png) + ```PowerShell + $serverName = "ArcBox-Ubuntu-01" + $localUser = "jumpstart" + Enter-AzVM -ResourceGroupName $Env:resourceGroup -Name $serverName -LocalUser $localUser + ``` - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_02.png) +![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_ps_01.png) - Following the previous method, you can also use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Windows Server virtual machines via SSH. ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal + az login --identity $serverName = "ArcBox-Win2K22" $localUser = "Administrator" @@ -326,28 +302,191 @@ After deployment is complete, its time to start exploring ArcBox. Most interacti az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser ``` - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_03.png) +Following the previous method, connect to _ArcBox-Win2K22_ via SSH. - ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_04.png) +**Azure CLI** -- In addition to SSH, you can also use Azure CLI to connect to one of the Azure Arc-enabled servers, Hyper-V Windows Server virtual machines using Remote Desktop tunneled via SSH. + ```shell + $serverName = "ArcBox-Win2K22" + $localUser = "Administrator" + az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser + ``` - ```powershell - az login -u $env:SPN_CLIENT_ID -p $env:SPN_CLIENT_SECRET -t $env:SPN_TENANT_ID --service-principal +or + +**Azure PowerShell** + ```PowerShell $serverName = "ArcBox-Win2K22" $localUser = "Administrator" + Enter-AzVM -ResourceGroupName $Env:resourceGroup -Name $serverName -LocalUser $localUser + ``` + + ![Screenshot showing usage of SSH via Azure CLI](./ssh_via_az_cli_03.png) + ![Screenshot showing usage of SSH via Azure CLI](.//ssh_via_az_cli_04.png) + +In addition to SSH, you can also connect to the Azure Arc-enabled servers, Windows Server virtual machines using **Remote Desktop** tunneled via SSH. + +**Azure CLI** + + ```shell + $serverName = "ArcBox-Win2K22" + $localUser = "Administrator" az ssh arc --resource-group $Env:resourceGroup --name $serverName --local-user $localUser --rdp ``` +or + +**Azure PowerShell** + + ```PowerShell + $serverName = "ArcBox-Win2K22" + $localUser = "Administrator" + Enter-AzVM -ResourceGroupName $Env:resourceGroup -Name $serverName -LocalUser $localUser -Rdp + ``` + ![Screenshot showing usage of Remote Desktop tunnelled via SSH](./rdp_via_az_cli.png) -### ArcBox Azure Monitor workbook +### Microsoft Entra ID based SSH Login + +1. The _Entra ID based SSH Login – Azure Arc VM extension_ can be added from the extensions menu of the Arc server in the Azure portal. The Azure AD login extension can also be installed locally via a package manager via `apt-get install aadsshlogin` or the following command: + + ```shell + $serverName = "ArcBox-Ubuntu-01" + az connectedmachine extension create --machine-name $serverName --resource-group $Env:resourceGroup --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLogin --type AADSSHLoginForLinux --location $env:azureLocation + ``` + +2. Configure role assignments for the Arc-enabled server _ArcBox-Ubuntu-01_ using the Azure portal. Two Azure roles are used to authorize VM login: + - **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges. + - **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges. -Open the [ArcBox Azure Monitor workbook documentation](/azure_jumpstart_arcbox/workbook/flavors/ITPro/) and explore the visualizations and reports of hybrid cloud resources. +3. After assigning one of the two roles for your personal Entra ID user account, run the following command to connect to _ArcBox-Ubuntu-01_ using SSH and AAD/Entra ID-based authentication: + +**Azure CLI** + + ```shell + # Log out from the Service Principal context + az logout + + # Log in using your personal account + az login - ![Screenshot showing Azure Monitor workbook usage](./workbook.png) + $serverName = "ArcBox-Ubuntu-01" + + az ssh arc --resource-group $Env:resourceGroup --name $serverName + ``` + +or + +**Azure PowerShell** + + ```PowerShell + # Log out from the Service Principal context + Disconnect-AzAccount + + # Log in using your personal account + Connect-AzAccount + $serverName = "ArcBox-Ubuntu-01" + + Enter-AzVM -ResourceGroupName $Env:resourceGroup -Name $serverName + ``` + +### PowerShell remoting to Azure Arc-enabled servers + +[PowerShell remoting over SSH](https://learn.microsoft.com/powershell/scripting/security/remoting/ssh-remoting-in-powershell) is available for Windows and Linux machines. + +[SSH for Arc-enabled servers](https://learn.microsoft.com/azure/azure-arc/servers/ssh-arc-powershell-remoting) enables SSH based PowerShell remoting connections to Arc-enabled servers without requiring a public IP address or additional open ports. + +You can use Azure CLI or Azure PowerShell to generate an SSH proxy configuration file to one of the Azure Arc-enabled servers. + +1. From the _ArcBox-Client_ VM, open a PowerShell session in Windows Terminal and use the below commands to connect to **ArcBox-Ubuntu-01** using SSH: + +**Azure CLI** + + ```shell + $serverName = "ArcBox-Ubuntu-01" + $localUser = "jumpstart" + $configFile = "C:\ArcBox\$serverName" + + az extension add --name ssh + + az ssh config --resource-group $Env:resourceGroup --name $serverName --local-user $localUser --resource-type Microsoft.HybridCompute --file "C:\ArcBox\$serverName" + ``` + +Expected output: + +![Screenshot showing usage of PowerShell Remoting tunnelled via SSH](./ps_remoting_via_ssh_01.png) + +or + +**Azure PowerShell** + +```PowerShell + Install-Module -Name Az.Ssh -Scope CurrentUser -Repository PSGallery + Install-Module -Name Az.Ssh.ArcProxy -Scope CurrentUser -Repository PSGallery + + $serverName = "ArcBox-Ubuntu-01" + $localUser = "jumpstart" + $configFile = "C:\ArcBox\$serverName" + + Export-AzSshConfig -ResourceGroupName $Env:resourceGroup -Name $serverName -LocalUser $localUser -ResourceType Microsoft.HybridCompute/machines -ConfigFilePath "C:\ArcBox\$serverName" +``` + +Expected output: + + ![Screenshot showing usage of PowerShell Remoting tunnelled via SSH](./ps_remoting_via_ssh_02.png) + +2. Next, we need to extract the values for the SSH proxy command: + +```PowerShell + # Use a regex pattern to find the ProxyCommand line and extract its value + $proxyCommandPattern = 'ProxyCommand\s+"([^"]+)"\s+-r\s+"([^"]+)"' + $match = Select-String -Path $configFile -Pattern $proxyCommandPattern + + $proxyCommandValue1 = [regex]::Match($match.Line, $proxyCommandPattern).Groups[1].Value + $proxyCommandValue2 = [regex]::Match($match.Line, $proxyCommandPattern).Groups[2].Value + $fullProxyCommandValue = "`"$proxyCommandValue1 -r $proxyCommandValue2`"" + + $options = @{ ProxyCommand = $fullProxyCommandValue } +``` + +3. Lastly, we can leverage native PowerShell remoting constructs to interact with the remote machine: + +```PowerShell + # Create PowerShell Remoting session + New-PSSession -HostName $serverName -UserName $localUser -Options $options -OutVariable session + + # Run a command + Invoke-Command -Session $session -ScriptBlock {Write-Output "Hello $(whoami) from $(hostname)"} + + # Enter an interactive session + Enter-PSSession -Session $session[0] + + # Disconnect + exit + + # Clean-up + $session | Remove-PSSession +``` + +Expected output: + +![Screenshot showing usage of PowerShell Remoting tunnelled via SSH](./ps_remoting_via_ssh_03.png) + +### ArcBox Azure Monitor workbooks + +Two Azure Monitor workbooks are included in ArcBox for IT Pro. + +One contains inventory information: + +![Screenshot showing Azure Monitor workbook usage](./workbook.png) + +The other contains performance data: + +![Screenshot showing Azure Monitor workbook usage](./workbook_performance.png) + +Open the [ArcBox Azure Monitor workbook documentation](/azure_jumpstart_arcbox/workbook/flavors/ITPro/) to get more information and explore the included visualizations and reports of hybrid cloud resources. ### Azure Update Manager @@ -361,14 +500,81 @@ As part of the deployment, one on-demand assessment triggered. This means any available updates can be viewed immidiately after a successful deployment when navigating to the Updates-blade for the hybrid machines. -Example from Linux machine: +Example from a Linux machine: ![Screenshot showing available updates for Linux machine](./azure-update-manager-1.png) -Example from Windows machine: +Example from a Windows machine: ![Screenshot showing available updates for Windows machine](./azure-update-manager-2.png) +### SSH Posture Control + +[SSH Posture Control](https://learn.microsoft.com/azure/osconfig/overview-ssh-posture-control-mc) enables you to audit and configure SSH Server security posture on supported Linux distros including Ubuntu, Red Hat, Azure Linux, and more. + +In ArcBox, an Azure policy assignment is included for an SSH Posture Control policy in audit-only mode. + +To inspect the compliance status of the assigned policy, perform the following: + +1. Navigate to the resource group you have deployed ArcBox to and select on of the Arc-enabled Linux machines. For this example, we are using _Arcbox-Ubuntu-01_: + +![Screenshot showing ArcBox resource group](./ssh_posture_control_01.png) + +2. Navigate to _Machine Configuration_ in the menu on the left side: + +![Screenshot showing Arcbox-Ubuntu-01](./ssh_posture_control_02.png) + +3. Click on the configuration name starting with _LinuxSshServerSecurityBaseline*_: + +![Screenshot showing assigned configurations](./ssh_posture_control_03.png) + +4. Click on the highlighted dropdown menu and select the checkbox _Compliant_. Now you should see all settings included in the SSH Posture Control policy: + +![Screenshot showing configuration settings](./ssh_posture_control_04.png) + +5. The compliance information is also available via Azure Resource Graph for reporting at scale across multiple machines. Navigate to "Azure Resource Graph Explorer" in the Azure portal: + +![Screenshot showing Azure Resource Graph Explorer](./resource_graph_explorer_01.png) + +6. Paste the following query into the query window and click _Run query_: + +``` +// SSH machine counts by compliance status +guestconfigurationresources +| where name contains "LinuxSshServerSecurityBaseline" +| extend complianceStatus = tostring(properties.complianceStatus) +| summarize machineCount = count() by complianceStatus +``` + +![Screenshot showing Azure Resource Graph Explorer](./ssh_posture_control_05.png) + +7. Paste the following query into the query window and click _Run query_: + +``` +// SSH rule level detail +GuestConfigurationResources +| where name contains "LinuxSshServerSecurityBaseline" +| project report = properties.latestAssignmentReport, + machine = split(properties.targetResourceId,'/')[-1], + lastComplianceStatusChecked=properties.lastComplianceStatusChecked +| mv-expand report.resources +| project machine, + rule = report_resources.resourceId, + ruleComplianceStatus = report_resources.complianceStatus, + ruleComplianceReason = report_resources.reasons[0].phrase, + lastComplianceStatusChecked +``` + +![Screenshot showing Azure Resource Graph Explorer](./ssh_posture_control_06.png) + + +To learn more about how to configure the settings in audit-and-configure mode, check out the [documentation](https://learn.microsoft.com/azure/osconfig/overview-ssh-posture-control-mc). + +If you are interested to learn how to create your own configurations for Machine Configuration, check out the following related Jumpstart scenarios: + +- [Create Automanage Machine Configuration custom configurations for Linux](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/day2/arc_automanage/arc_automanage_machine_configuration_custom_linux). +- [Create Automanage Machine Configuration custom configurations for Windows](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/day2/arc_automanage/arc_automanage_machine_configuration_custom_windows). + ### Arc-enabled SQL Server - Best practices assessment As part of the ArcBox deployment, SQL Server best practices assessment is configured and run. Open _ArcBox-SQL_ Arc-enabled SQL Server resource from the resource group deployed or Azure Arc service blade to view SQL Server best practice assessment results. @@ -406,7 +612,7 @@ Please note it may take some time to show this status in the Azure portal, but s ![Screenshot showing Defender for SQL test scripts](./sql-defender-testing-script.png) -- Open PowerShell window and change the directory to _C:\ArcBox\agentScript_ folder and run _testDefenderForSQL.ps1_ PowerShell script to generate Defender for SQL incidents and alerts. +- Open a PowerShell window and change the directory to _C:\ArcBox_ folder and run _testDefenderForSQL.ps1_ PowerShell script to generate Defender for SQL incidents and alerts. ![Screenshot showing manual execution of the test scripts](./manual-brute-force-test.png) @@ -417,11 +623,13 @@ Please note it may take some time to show this status in the Azure portal, but s The following tools are including on the _ArcBox-Client_ VM. -- WinGet -- Visual Studio Code +- Azure CLI +- Azure PowerShell - Git -- Windows Terminal - PowerShell 7 +- Visual Studio Code +- Windows Terminal +- WinGet ### Next steps @@ -450,11 +658,6 @@ az group delete -n Occasionally deployments of ArcBox may fail at various stages. Common reasons for failed deployments include: -- Invalid SSH public key provided in _azuredeploy.parameters.json_ file. - - An example SSH public key is shown here. Note that the public key includes "ssh-rsa" at the beginning. The entire value should be included in your _azuredeploy.parameters.json_ file. - -![Screenshot showing SSH public key example](./ssh_example.png) - - Not enough vCPU quota available in your target Azure region - check vCPU quota and ensure you have at least 16 available. See the [prerequisites](#prerequisites) section for more details. - Target Azure region does not support all required Azure services - ensure you are running ArcBox in one of the supported regions listed in the above section "ArcBox Azure Region Compatibility". - "BadRequest" error message when deploying - this error returns occasionally when the Log Analytics solutions in the ARM templates are deployed. Typically, waiting a few minutes and re-running the same deployment resolves the issue. Alternatively, you can try deploying to a different Azure region. @@ -472,6 +675,7 @@ Occasionally, you may need to review log output from scripts that run on the _Ar | _C:\ArcBox\Logs\Bootstrap.log_ | Output from the initial bootstrapping script that runs on _ArcBox-Client_. | | _C:\ArcBox\Logs\ArcServersLogonScript.log_ | Output of ArcServersLogonScript.ps1 which configures the Hyper-V host and guests and onboards the guests as Azure Arc-enabled servers. | | _C:\ArcBox\Logs\MonitorWorkbookLogonScript.log_ | Output from MonitorWorkbookLogonScript.ps1 which deploys the Azure Monitor workbook. | +| _C:\ArcBox\Logs\WinGet-provisioning-*.log_ | Output from WinGet.ps1 which installs WinGet and applies WinGet Configuration. | ![Screenshot showing ArcBox logs folder on ArcBox-Client](./troubleshoot_logs.png) diff --git a/docs/azure_jumpstart_arcbox/ITPro/arcbox_complete.png b/docs/azure_jumpstart_arcbox/ITPro/arcbox_complete.png index 66d53c7b..b5f5df3e 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/arcbox_complete.png and b/docs/azure_jumpstart_arcbox/ITPro/arcbox_complete.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/arch_itpro.png b/docs/azure_jumpstart_arcbox/ITPro/arch_itpro.png index 5df77c1f..bf77855a 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/arch_itpro.png and b/docs/azure_jumpstart_arcbox/ITPro/arch_itpro.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/automation.png b/docs/azure_jumpstart_arcbox/ITPro/automation.png index 761c7c07..5235e74d 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/automation.png and b/docs/azure_jumpstart_arcbox/ITPro/automation.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/deploymentflow.png b/docs/azure_jumpstart_arcbox/ITPro/deploymentflow.png index 19ae6679..a940c8cd 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/deploymentflow.png and b/docs/azure_jumpstart_arcbox/ITPro/deploymentflow.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/parameters_itpro_bicep.png b/docs/azure_jumpstart_arcbox/ITPro/parameters_itpro_bicep.png index f97e040d..14923ddd 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/parameters_itpro_bicep.png and b/docs/azure_jumpstart_arcbox/ITPro/parameters_itpro_bicep.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_01.png b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_01.png new file mode 100644 index 00000000..90b3cc32 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_01.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_02.png b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_02.png new file mode 100644 index 00000000..8939eb01 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_02.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_03.png b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_03.png new file mode 100644 index 00000000..c9439df7 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ps_remoting_via_ssh_03.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/rdp_via_az_cli.png b/docs/azure_jumpstart_arcbox/ITPro/rdp_via_az_cli.png index 00afb27e..8d5229f8 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/rdp_via_az_cli.png and b/docs/azure_jumpstart_arcbox/ITPro/rdp_via_az_cli.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/resource_graph_explorer_01.png b/docs/azure_jumpstart_arcbox/ITPro/resource_graph_explorer_01.png new file mode 100644 index 00000000..6a19c82b Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/resource_graph_explorer_01.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/rg_arc.png b/docs/azure_jumpstart_arcbox/ITPro/rg_arc.png index dbf6b914..cdc5815a 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/rg_arc.png and b/docs/azure_jumpstart_arcbox/ITPro/rg_arc.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_01.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_01.png new file mode 100644 index 00000000..51d22eb5 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_01.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_02.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_02.png new file mode 100644 index 00000000..f4acb093 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_02.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_03.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_03.png new file mode 100644 index 00000000..35d968e8 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_03.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_04.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_04.png new file mode 100644 index 00000000..c798204c Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_04.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_05.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_05.png new file mode 100644 index 00000000..d362bcd7 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_05.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_06.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_06.png new file mode 100644 index 00000000..c9cc57cd Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_posture_control_06.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_cli_01.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_cli_01.png index 15d98874..2555e072 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_cli_01.png and b/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_cli_01.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_ps_01.png b/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_ps_01.png new file mode 100644 index 00000000..e0420397 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/ssh_via_az_ps_01.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/troubleshoot_logs.png b/docs/azure_jumpstart_arcbox/ITPro/troubleshoot_logs.png index fcd18e07..da1dc292 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/troubleshoot_logs.png and b/docs/azure_jumpstart_arcbox/ITPro/troubleshoot_logs.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/unifiedops.png b/docs/azure_jumpstart_arcbox/ITPro/unifiedops.png index eccedf88..97f37d70 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/unifiedops.png and b/docs/azure_jumpstart_arcbox/ITPro/unifiedops.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/workbook.png b/docs/azure_jumpstart_arcbox/ITPro/workbook.png index 3185be61..5c8cd618 100644 Binary files a/docs/azure_jumpstart_arcbox/ITPro/workbook.png and b/docs/azure_jumpstart_arcbox/ITPro/workbook.png differ diff --git a/docs/azure_jumpstart_arcbox/ITPro/workbook_performance.png b/docs/azure_jumpstart_arcbox/ITPro/workbook_performance.png new file mode 100644 index 00000000..842ea493 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/ITPro/workbook_performance.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/_index.md b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/_index.md index dd33daf7..5e97d7cf 100644 --- a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/_index.md +++ b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/_index.md @@ -4,15 +4,15 @@ weight: 99 toc_hide: true --- -# Jumpstart ArcBox for IT Pros - Azure Monitor Workbook +# Jumpstart ArcBox for IT Pros - Azure Monitor Workbooks ArcBox for IT Pros is a special "flavor" of ArcBox that is intended for users who want to experience Azure Arc-enabled servers capabilities in a sandbox environment. This document provides specific guidance on the included ArcBox [Azure Monitor Workbook](https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-overview). Please refer to the main [ArcBox documentation](/azure_jumpstart_arcbox/) for information on deploying and using ArcBox. -As part of ArcBox for IT Pros, an Azure Monitor workbook is deployed to provide a single pane of glass for monitoring and reporting on ArcBox resources. Using Azure's management and operations tools in hybrid, multi-cloud and edge deployments provides the consistency needed to manage each environment through a common set of governance and operations management practices. The Azure Monitor workbook acts as a flexible canvas for data analysis and visualization in the Azure portal, gathering information from several data sources from across ArcBox and combining them into an integrated interactive experience. +As part of ArcBox for IT Pros, two Azure Monitor workbooks is deployed to provide a single pane of glass for monitoring and reporting on ArcBox resources. Using Azure's management and operations tools in hybrid, multi-cloud and edge deployments provides the consistency needed to manage each environment through a common set of governance and operations management practices. The Azure Monitor workbooks acts as a flexible canvas for data analysis and visualization in the Azure portal, gathering information from several data sources from across ArcBox and combining them into an integrated interactive experience. > **Note:** Due to the number of Azure resources included in a single ArcBox deployment and the data ingestion and analysis required, it is expected that metrics and telemetry for the workbook can take several hours to be fully available. -## Access the ArcBox for IT Pros workbook +## Access the ArcBox for IT Pros workbooks The Jumpstart ArcBox workbook is automatically deployed for you as part of ArcBox's advanced automation. To access the Jumpstart ArcBox workbook use the Azure portal to follow the next steps. @@ -20,19 +20,23 @@ The Jumpstart ArcBox workbook is automatically deployed for you as part of ArcBo ![Workbook Gallery](./azure_workbook.png) +Click on the workbook you want to open and select _Open Workbook_: + ![Workbook Gallery](./open_workbook.png) -- The Jumpstart ArcBox for IT Pros Workbook will be displayed. +- The selected Jumpstart ArcBox for IT Pros Workbook will be displayed. - ![ArcBox for IT Pros workbook overview](./workbook_overview.png) +**Inventory workbook** -## ArcBox for IT Pros Workbook capabilities +![ArcBox for IT Pros workbook overview](./workbook_inventory.png) + +**Performance workbook** -The ArcBox for IT Pros Workbook is a single report that combines data from different sources and services, providing a unified view across resources, enabling richer data and insights for unified operations. +![ArcBox for IT Pros workbook overview](./workbook_performance.png) -The Workbook is organized into several tabs that provide easier navigation and separation of concerns. +## ArcBox for IT Pros Workbook capabilities -![Tab Menu](./tab_menu.png) +The ArcBox for IT Pros Workbooks combines data from different sources and services, providing a unified view across resources, enabling richer data and insights for unified operations. ### Inventory @@ -40,118 +44,34 @@ By using Azure Arc, your on-premises and multi-cloud resources become visible th The "Inventory" tab in the ArcBox for IT Pros Workbook has three sections: -- _parameters_ - use the drop-down menu to select your subscription and resource group, you also get the option to filter the report by resource type. +Overall status and policy compliance: - ![Inventory Parameters](./inventory_parameters.png) + ![Inventory](./inventory_01.png) -- _Resource Count by Type_ - this visualization shows the number of resources by type within a resource group, these grouping will be automatically refreshed if the parameters section is changed. +Update status: - ![Inventory Resource by type](./inventory_count_by_type.png) + ![Update status](./inventory_02.png) -- _Resource List_ - this table shows a list of resources in the resource group provided in the parameters section. This is an interactive list, therefore you can click on any resource or tag for additional information. +Active alerts in Defender for Cloud: - ![Inventory Resource List](./inventory_resource_list.png) + ![Update status](./inventory_03.png) ### Monitoring Enabling a resource in Azure Arc gives you the ability to perform configuration management and monitoring tasks on those services as if they were first-class citizens in Azure. You are able to monitor your connected machine guest operating system performance at the scope of the resource with VM insights. In ArcBox for IT Pros the Azure Arc-enabled servers have been onboarded onto Azure Monitor. -The "Monitoring" tab of the Jumpstart Workbook shows metrics and alerts for ArcBox for IT Pros resources organized in three sections: - -- _Alert Summary_ - Shows an overview of alerts organized by severity and status. You can use the drop-down menus to apply filters to the report. The following filters are available: - - Subscription: select one or multiple subscriptions in your environment to show available alerts. - - Resource Group: select one or more resource groups in your environment to show available alerts. - - Resource Type: select one or multiple resource types to show its alerts. - - Resources: select individual resources by name to visualize their alerts. - - Time Range: provide a time range in which the alert has been created. - - State: choose the alert type between New, Acknowledged, or Closed. - - ![Monitoring Alert Summary](./monitoring_alert_summary.png) - -- _Azure Arc-enabled servers_ - Shows metrics for CPU and memory usage on the Azure Arc-enabled servers. Use the parameters section to select the Azure Arc-enabled server as well as a time range to visualize the data. - - ![Monitoring Azure Arc-enabled server Metrics](./monitoring_arc_servers.png) - -### Microsoft Defender for Cloud - -Microsoft Defender for Cloud can monitor the security posture of your hybrid and multi-cloud deployments that have been onboarded onto Azure Arc. Once those deployments are registered in Azure, you can take care of the security baseline and audit, apply, or automate requirements from recommended security controls as well as identify and provide mitigation guidance for security-related business risks. - -The "Security" tab of the Jumpstart Workbook shows insights from Microsoft Defender for Cloud assessments. To be able to use this report, you will need to configure "continuous export" capability to export Microsoft Defender for Cloud's data to ArcBox's Log Analytics workspace: - -- From Microsoft Defender for Cloud's sidebar, select Environment Settings. - - ![Microsoft Defender for Cloud Configuration](./security_center_config_1.png) - -- Select the specific subscription for which you want to configure the data export. - - ![Microsoft Defender for Cloud Configuration](./security_center_config_2.png) - -- From the sidebar of the settings page for that subscription, select Continuous Export, set the export target to the Log Analytics workspace, and set the data types to Security recommendations and Secure Score (Preview) and leave the export frequency at the default values. - - ![Microsoft Defender for Cloud Configuration](./security_center_config_3.png) - -- Make sure to select ArcBox's subscription, resource group, and Log Analytics workspace as the export target. Select Save. - - ![Microsoft Defender for Cloud Configuration](./security_center_config_4.png) - -Once configured, the report will provide an overview of the secure score, you can filter information by using the parameters section: - -- _Workspace_ - Select one or multiple Log Analytics workspaces. - -- _Time Range_ - Filter the data of the report to one of the predefined time ranges. - - ![Security parameters](./security_parameters.png) - - With this report you will get several visualizations: - - - _Current score trends per subscription_ - - ![Security workbook trends](./security_trends.png) - - - _Aggregated score for selected subscriptions over time_ - - ![Security workbook aggregated score](./security_score.png) - - - _Top recommendations with the recent increase in unhealthy resources_ - - ![Security tab top recommendations](./security_recommendations.png) - - - _Security controls scores over time (weekly)_ - - ![Security controls scores overtime](./security_controls.png) - - - _Resources changed over time_ - To view changes over time on a specific recommendation, please select any from the list above. - - ![Resources changed overtime](./security_changes.png) - - ![Resources changed overtime selected resources](./security_changes_resource.png) - -This part of the workbook also includes a section dedicated to agent monitoring. For Azure Defender to be able to monitor an Azure Arc-enabled-servers certain configurations have to be in place and the workbook will help visualize machines that may not be properly reporting to the Log Analytics workspace. - -In the parameters section select the Log Analytics workspace used by ArcBox. - - ![Agent Management](./agentmgmt_parameters.png) - -From within the Agent Monitoring section you will get several tabs: - -- _Overview_ - with three visualizations: - - - _Azure Monitor Agent installation status_ shows the Azure Monitor Agent installation status as reported by Microsoft Defender for Cloud. - - ![Azure Monitor Agent installation status](./agentmgmt_overviewstatus.png) - - - _Azure Monitor Agent reporting status_ shows the current Azure Monitor Agent reporting status of the Azure Arc-enabled servers. Machines that are sending current heartbeat information within the last 15 minutes are considered as currently reporting. +The _Azure Arc-enabled servers OS Performance_ Workbook shows metrics and alerts for ArcBox for IT Pros resources organized in three sections: - ![Azure Monitor Agent reporting status](./agentmgmt_overviewsreport.png) +- _Operating System - Performance and capacity_ - Shows metrics for CPU and memory usage on the Azure Arc-enabled servers. - - _Azure Defender coverage_ shows the status of Azure Defender for Servers across all servers that are protected by Microsoft Defender for Cloud. +**CPU metrics** - ![Azure Defender coverage](./agentmgmt_overviewscoverage.png) + ![Monitoring Azure Arc-enabled server Metrics](./monitoring_arc_servers_01.png) -- _Machines not reporting to Log Analytics workspace_ - this has four lists of machines that are not sending heartbeats to the Log Analytics workspace in different periods of time: 15 minutes, 24 hours, 48 hours and 7 days. Please not that there are no machines listed on the image as all of them are properly sending heartbeats to the workspace. +**Memory metrics** - ![Machines not reporting](./agentmgmt_machinesnotreport.png) + ![Monitoring Azure Arc-enabled server Metrics](./monitoring_arc_servers_02.png) -- _Security status_ - has a full report of Azure VMs and Azure Arc-enabled-servers security configurations including its Log Analytics workspace and the agent status. +**Disk metrics** - ![Security Status](./agentmgmt_securitystatus.png) + ![Monitoring Azure Arc-enabled server Metrics](./monitoring_arc_servers_03.png) diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/azure_workbook.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/azure_workbook.png index 750fd198..2282de7e 100644 Binary files a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/azure_workbook.png and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/azure_workbook.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_01.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_01.png new file mode 100644 index 00000000..e91fbd7e Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_01.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_02.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_02.png new file mode 100644 index 00000000..b3d75dcd Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_02.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_03.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_03.png new file mode 100644 index 00000000..9be3e10f Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/inventory_03.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_01.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_01.png new file mode 100644 index 00000000..8c0f9229 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_01.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_02.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_02.png new file mode 100644 index 00000000..eb217001 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_02.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_03.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_03.png new file mode 100644 index 00000000..cd6587da Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/monitoring_arc_servers_03.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/open_workbook.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/open_workbook.png index 482a8c2b..98565cb6 100644 Binary files a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/open_workbook.png and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/open_workbook.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_inventory.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_inventory.png new file mode 100644 index 00000000..5c8cd618 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_inventory.png differ diff --git a/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_performance.png b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_performance.png new file mode 100644 index 00000000..842ea493 Binary files /dev/null and b/docs/azure_jumpstart_arcbox/workbook/flavors/ITPro/workbook_performance.png differ