In this article, you learn how to install Azure connected machine agents for VMware VMs. Installing these agents is a prerequisite to use Azure services for securing, patching, and monitoring your VMs. By using these agents, you can leverage Azure Arc benefits such as Extended Security Updates, pay-as-you-go licensing for Windows Server and SQL servers, and Software Attestation benefits.
You can install Arc agents on VMware VMs through multiple methods. Choose the method that fits your deployment preferences:
- Azure portal
- Programmatic methods such as Azure CLI, Azure PowerShell, Azure REST APIs, Azure SDKs, Terraform, Bicep, and ARM templates. The reference section of this documentation repository has information on the exact syntax.
- Out-of-band methods such as using a Service Principal, System Center Configuration Manager script, System Center Configuration Manager custom task sequence, Group policy, and Ansible playbook.
Prerequisites
Before you install Arc agents at scale for VMware VMs, ensure the following conditions are met:
The resource bridge is running.
The vCenter is in Connected state and its associated Azure Arc resource bridge is in a Running state.
You have the Azure Arc VMware VM Contributor role or a custom Azure role with permissions to install Arc agents on the target machines.
All the target machines are:
- Powered on.
- Running a supported operating system.
- VMware tools are installed on the machines. If you don't install VMware tools, the portal disables the option to enable guest management operation.
Note
Use the out-of-band methods to install Arc agents if VMware tools aren't installed.
- Able to connect through the firewall to communicate over the internet, and these URLs aren't blocked.
Note
If you're using a Linux VM, the account must not prompt for login on sudo commands. To override the prompt, from a terminal, run sudo visudo, and add <username> ALL=(ALL) NOPASSWD:ALL at the end of the file. Ensure you replace <username>.
If your VM template has these changes incorporated, you don't need to make this change for the VM created from that template.
Install Arc agents
This method works only if VMware tools are installed on the target machines. If VMware tools aren't installed, the portal grays out the Enable guest management option. You can install Arc agents by using out-of-band methods.
An administrator can install agents for multiple machines from the Azure portal if the machines share the same administrator credentials.
Go to Azure Arc center and select vCenter resource.
Select all the target machines and choose Enable in Azure option.
Select Enable guest management checkbox to install Arc agents on the selected machines. By using this option, you can use Azure services such as Azure Update Manager, Azure Monitor, Microsoft Defender for Cloud, Azure Policy, Azure Automation, Change Tracking and Inventory, and more to secure, govern, patch, and monitor your virtual machines.
If you enable guest management on any of your machines, based on your organization's network policies, choose the connectivity method for the Arc agents that runs in your VMware VMs to connect to Azure. The available options are Public endpoint, Proxy server, and Private endpoint.
- To connect the Arc agent through a proxy, provide the proxy server details.
- To connect the Arc agent through a private endpoint, follow these steps to set up Azure private link.
Note
Private endpoint connectivity is only available for Arc agent to Azure communications. For Arc resource bridge to Azure connectivity, Azure private link isn't supported.
Enter the administrator username and password for the machine. For Windows VMs, the account must be part of the local administrators group. For Linux VMs, it must be a root account.
Select Enable to start the installation of the Arc agent in the specified machines. Once installation is complete, the Guest management column will switch to Enabled for the machines with Arc agent running. You can start using Azure services for these machines. These credentials won't be persisted in Azure. They're used to install the Azure Arc agent and then discarded.
This method works only if VMware tools are installed on the target machines. If VMware tools aren't installed, you can install Arc agents by using out-of-band methods.
You can automate Arc agent installation by using a helper script that uses the AzCLI command. To enable VMs and install Arc agents at scale, download this helper script. In a single ARM deployment, the helper script can enable and install Arc agents on 200 VMs.
Features of the script
Creates a log file (vmware-batch.log) for tracking its operations.
Generates a list of Azure portal links to all the deployments created (all-deployments-<timestamp>.txt).
Creates ARM deployment files (vmw-dep-<timestamp>-<batch>.json).
Can enable up to 200 VMs in a single ARM deployment if guest management is enabled, otherwise enables 400 VMs.
Supports running as a cron job to enable all the VMs in a vCenter.
Allows for service principal authentication to Azure for automation.
Before running this script, install Azure CLI and the connectedvmware extension.
Prerequisites
Before running this script, install:
Usage
Download the script to your local machine.
Open a PowerShell terminal and go to the directory containing the script.
Run the following command to allow the script to run, as it's an unsigned script. If you close the session before you complete all the steps, run this command again for the new session: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass.
Run the script with the required parameters. For example, .\arcvmware-batch-enablement.ps1 -VCenterId "<vCenterId>" -EnableGuestManagement -VMCountPerDeployment 3 -DryRun. Replace <vCenterId> with the ARM ID of your vCenter.
Parameters
VCenterId: The ARM ID of the vCenter where the VMs are located.
EnableGuestManagement: If you specify this switch, the script enables guest management on the VMs.
VMCountPerDeployment: The number of VMs to enable per ARM deployment. The maximum value is 200 if guest management is enabled, otherwise it's 400.
DryRun: If you specify this switch, the script only creates the ARM deployment files. Otherwise, the script also deploys the ARM deployments.
Running as a Cron Job
You can set up this script to run as a cron job by using the Windows Task Scheduler. Here's a sample script to create a scheduled task:
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File "C:\Path\To\vmware-batch-enable.ps1" -VCenterId "<vCenterId>" -EnableGuestManagement -VMCountPerDeployment 3 -DryRun'
$trigger = New-ScheduledTaskTrigger -Daily -At 3am
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "EnableVMs"
Replace <vCenterId> with the ARM ID of your vCenter.
To unregister the task, run the following command:
Unregister-ScheduledTask -TaskName "EnableVMs"
You can install Arc agents directly on machines without relying on VMware tools or APIs. By using the out-of-band approach, first onboard the machines as Arc-enabled Server resources with the resource type Microsoft.HybridCompute/machines. After that, perform the Link to vCenter operation to update the machine's Kind property as VMware, which enables virtual lifecycle operations.
Connect the machines as Arc-enabled Server resources: Install Arc agents by using Arc-enabled Server scripts.
To install Arc agents at scale, use any of the following automation approaches:
Link Arc-enabled Server resources to the vCenter: The following commands update the Kind property of Hybrid Compute machines to VMware. When you link the machines to vCenter, it enables virtual lifecycle operations and power cycle operations (start, stop, and other actions) on the machines.
The following command scans all the Arc for Server machines that belong to the vCenter in the specified subscription. It links the machines with that vCenter.
az connectedvmware vm create-from-machines --subscription contoso-sub --vcenter-id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
The following command scans all the Arc for Server machines that belong to the vCenter in the specified resource group. It links the machines with that vCenter.
az connectedvmware vm create-from-machines --resource-group contoso-rg --vcenter-id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
Use the following command to link an individual Arc for Server resource to vCenter.
az connectedvmware vm create-from-machines --resource-group contoso-rg --name contoso-vm --vcenter-id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/allhands-demo/providers/microsoft.connectedvmwarevsphere/VCenters/ContosovCentervcenters/contoso-vcenter
Next steps