Azure Arcの様々なパターンを図で理解する！

1. Azure Arcの様々なパターンを図で理解する！ @ebi Masahiko Ebisuda

2. 日本ビジネスシステムズ株式会社胡田昌彦(えびすだまさひこ) Youtube http://bit.ly/2NTCKmj 自己紹介日本ビジネスシステムズ株式会社  企業の情報システム部で働く方  一般ユーザーだけど、コンピューターに興味があって、もっと詳しくなりたい方  Windows, M365, Azure等のMicrosoft関連技術中心チャンネル登録よろしくお願いします！

3. LinkedInで毎日図が投稿されてる！

5. https://github.com/microsoft/azure_arc/blob/main/docs/ppt/diagrams.pptx

6. 沢山ある！93スライド！

7. 全部は消化できないのでピックアップしてご紹介！

8. Azure Arc 全体アーキテクチャ

16. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled servers & Azure Arc-enabled SQL server On-premises and multi-cloud compliance with Azure Policy Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration Azure Arc-enabled servers Azure Arc-enabled SQL servers Canada Federal PBMM Azure Policy Compliance Enforcement GCP Instances Google Cloud Platform VMware vSphere Azure Arc-enabled servers Azure Arc-enabled SQL servers Federal Risk and Authorization Management Program (FedRAMP) Azure Policy Compliance Enforcement VMware vSphere VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers UK OFFICIAL and UK NHS Azure Policy Compliance Enforcement EC2 Instances Amazon Web Services Compliance Enforcement Compliance Enforcement Azure VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Stack HCI VMs Healthcare Azure Policy Azure Stack HCI Azure Native Azure

17. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault GitOps Configurations Azure Container Registry Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled services On-premises and multi-cloud integration Azure Azure Stack HCI VMware vSphere Amazon Web Services Google Cloud Platform kubectl CLI api Azure Kubernetes Service (AKS) clusters Azure Arc-enabled Kubernetes clusters Azure Arc-enabled services (data/app/ML) Custom Location Mapping Kubernetes Resources K8s API Azure Arc-enabled Kubernetes clusters Azure Arc-enabled services (data/app/ML) Custom Location Mapping Kubernetes Resources Azure Arc-enabled Kubernetes clusters Azure Arc-enabled services (data/app/ML) Custom Location Mapping Kubernetes Resources Azure Arc-enabled Kubernetes clusters Azure Arc-enabled services (data/app/ML) Custom Location Mapping Kubernetes Resources Azure Arc-enabled Kubernetes clusters Azure Arc-enabled services (data/app/ML) Custom Location Mapping Kubernetes Resources Azure Kubernetes Service (AKS) on Azure Stack HCI clusters K8s API VMware Tanzu Grid (TKG) clusters K8s API Elastic Kubernetes Service (EKS) clusters K8s API Google Kubernetes Engine (GKE) clusters K8s API Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

18. Azure Arc Bare-Metal Servers Windows & Linux Servers Kubernetes Bare-Metal / VM Azure Arc Data Controller Azure Arc PostgreSQL Hyperscale Azure Arc SQL Server Azure Arc SQL Managed Instance Fabrikam On-Premises Datacenter AWS EC2 GCP Instance Google Kubernetes Engine (GKE) Elastic Kubernetes Service (EKS) Azure Arc PostgreSQL Hyperscale Azure Arc SQL Server Azure Arc SQL Managed Instance Fabrikam Multi-Cloud Workloads Fabrikam Azure Tenant Cosmos DB Functions Data Services Kubernetes Service Virtual Machines Storage Network App Services Azure Arc-enabled infrastructure & services Azure Arc Data Controller

19. Azure Arc Contoso MSP Tenant Powered by Azure Lighthouse Access Management Portal & Dashboarding Policy & Governance Monitoring Logging & Analytics Cost Management Security Patch Management BC/DR MSP 3rd Party Solutions Integration Service Health & Support Fourth Coffee Azure Tenant Fourth Coffee On-Premises Datacenter Fourth Coffee Multi-Cloud Workloads Parnell Aerospace Azure Tenant Parnell Aerospace On-Premises Datacenter Parnell Aerospace Multi-Cloud Workloads Bare-Metal Servers Windows & Linux Servers Kubernetes Bare-Metal / VM Azure Arc Data Controller Azure Arc PostgreSQL Hyperscale Azure Arc SQL Server Azure Arc SQL Managed Instance Fabrikam On-Premises Datacenter AWS EC2 GCP Instance Google Kubernetes Engine (GKE) Elastic Kubernetes Service (EKS) Azure Arc PostgreSQL Hyperscale Azure Arc SQL Server Azure Arc SQL Managed Instance Fabrikam Multi-Cloud Workloads Fabrikam Azure Tenant Cosmos DB Functions Data Services Kubernetes Service Virtual Machines Storage Network App Services Azure Arc-enabled infrastructure & services Azure Arc Data Controller

20. Azure Arc対応サーバー

21. Azure Arc対応サーバーとAzure Arc対応SQLサーバー Azure Policyによるオンプレミスとマルチクラウドのコンプライアンス管理

29. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled servers & Azure Arc-enabled SQL server On-premises and multi-cloud compliance with Azure Policy Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration Azure Arc-enabled servers Azure Arc-enabled SQL servers Canada Federal PBMM Azure Policy Compliance Enforcement GCP Instances Google Cloud Platform VMware vSphere Azure Arc-enabled servers Azure Arc-enabled SQL servers Federal Risk and Authorization Management Program (FedRAMP) Azure Policy Compliance Enforcement VMware vSphere VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers UK OFFICIAL and UK NHS Azure Policy Compliance Enforcement EC2 Instances Amazon Web Services Compliance Enforcement Compliance Enforcement Azure VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Stack HCI VMs Healthcare Azure Policy Azure Stack HCI Azure Native Azure HIPAA （Health Insurance Portability and Accountability Act）医療保険の携行性と責任に関する法律(米国) FedRAMP (Federal Risk and Authorization Management Program) 米国政府機関におけるクラウドセキュリティ認証制度 NHS (National Health Service) イギリスの国民健康サービス Canada Federal PBMM (Protected B, Medium Integrity, Medium Availability) カナダ連邦政府のセキュリティガイドライン？

31. Azure Policyでハイブリッドな構成管理 - YouTube https://www.youtube.com/watch?v=MPPN1Fic_3w

32. Azure Arc対応サーバーとAzure Arc対応SQLサーバー Azure Security Center、Defender、Sentinelを用いたマルチクラウドセキュリティ管理

33. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled servers & Azure Arc-enabled SQL server Security management with ASC, Defender and Sentinel Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration Azure Arc-enabled servers Azure Arc-enabled SQL servers GCP Instances Google Cloud Platform VMware vSphere Azure Arc-enabled servers Azure Arc-enabled SQL servers VMware vSphere VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers EC2 Instances Amazon Web Services Azure VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Stack HCI VMs Azure Stack HCI Azure Native Azure Azure Security Management & Operations Azure Security Center Azure Defender Azure Sentinel Azure Monitor Azure Monitor Azure Monitor Azure Monitor Azure Monitor

34. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled servers & Azure Arc-enabled SQL server Security management with ASC, Defender and Sentinel Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration Azure Arc-enabled servers Azure Arc-enabled SQL servers GCP Instances Google Cloud Platform VMware vSphere Azure Arc-enabled servers Azure Arc-enabled SQL servers VMware vSphere VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers EC2 Instances Amazon Web Services Azure VMs Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Stack HCI VMs Azure Stack HCI Azure Native Azure Azure Security Management & Operations Azure Security Center Azure Defender Azure Sentinel Azure Monitor Azure Monitor Azure Monitor Azure Monitor Azure Monitor

35. 名称変更 • Azure Sentinel → Microsoft Sentinel • Azure Security Center → Microsoft Defender for Cloud • Azure Defender → Microsoft Defender for Cloud 「どの環境にあるワークロードもAzureのセキュリティの仕組みを使って保護する」という点には変化なし

36. Azure Arc対応サーバーとAzure Arc対応SQLサーバー TagとResource Graphによるリソース管理

37. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security VMware vSphere WS & Linux VMware vSphere VMs SQL Servers VMware vSphere VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Amazon Web Services WS & Linux EC2 Instances SQL Servers EC2 Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Google Cloud Platform WS & Linux Instances SQL Servers Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Arc-enabled servers & Azure Arc-enabled SQL server Resource management with tags Azure WS & Linux Azure VMs SQL Servers Azure VMs Azure Resource Management Native Azure Azure Tags Azure Resource Graph Resource Querying Tag: “Infrastructure: Azure” Azure Stack HCI WS & Linux Azure Stack HCI VMs SQL Servers Azure Stack HCI VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Tag: “Infrastructure: AzHCI” Tag: “Infrastructure: VMware” Tag: “Infrastructure: AWS” Tag: “Infrastructure: GCP” Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

38. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security VMware vSphere WS & Linux VMware vSphere VMs SQL Servers VMware vSphere VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Amazon Web Services WS & Linux EC2 Instances SQL Servers EC2 Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Google Cloud Platform WS & Linux Instances SQL Servers Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Arc-enabled servers & Azure Arc-enabled SQL server Resource management with tags Azure WS & Linux Azure VMs SQL Servers Azure VMs Azure Resource Management Native Azure Azure Tags Azure Resource Graph Resource Querying Tag: “Infrastructure: Azure” Azure Stack HCI WS & Linux Azure Stack HCI VMs SQL Servers Azure Stack HCI VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Tag: “Infrastructure: AzHCI” Tag: “Infrastructure: VMware” Tag: “Infrastructure: AWS” Tag: “Infrastructure: GCP” Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

39. Azure Arc対応サーバーとAzure Arc対応SQLサーバー Azure Key Vaultによるシークレット管理

40. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security VMware vSphere WS & Linux VMware vSphere VMs SQL Servers VMware vSphere VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Amazon Web Services WS & Linux EC2 Instances SQL Servers EC2 Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Google Cloud Platform WS & Linux Instances SQL Servers Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Arc-enabled servers & Azure Arc-enabled SQL server Secrets management with Azure Key Vault Azure WS & Linux Azure VMs SQL Servers Azure VMs Azure Secrets Management & Operations Native Azure Azure Stack HCI WS & Linux Azure Stack HCI VMs SQL Servers Azure Stack HCI VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Secrets Store Azure Key Vault User Secrets AKV Extension AKV Extension AKV Extension AKV Extension Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

41. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault Azure Automation Azure Automanage Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security VMware vSphere WS & Linux VMware vSphere VMs SQL Servers VMware vSphere VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Amazon Web Services WS & Linux EC2 Instances SQL Servers EC2 Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Google Cloud Platform WS & Linux Instances SQL Servers Instances Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Azure Arc-enabled servers & Azure Arc-enabled SQL server Secrets management with Azure Key Vault Azure WS & Linux Azure VMs SQL Servers Azure VMs Azure Secrets Management & Operations Native Azure Azure Stack HCI WS & Linux Azure Stack HCI VMs SQL Servers Azure Stack HCI VMs Azure Arc Connected Machine Agent Azure Arc-enabled servers Azure Arc-enabled SQL servers Secrets Store Azure Key Vault User Secrets AKV Extension AKV Extension AKV Extension AKV Extension Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

42. Azure Arc-enabled servers Azure Key Vault Integration System / Security Administrator Azure Arc-enabled server Azure Key Vault (AKV) User Certificates Public Key Infrastructure (PKI) Hybrid Compute Resource Provider Extension Service Azure AD AKV is configured with Azure Managed Identity for allowing the Azure Arc-enabled server to access certificates AKV extension is deployed on the Azure Arc-enabled server AKV Extension Background Service Certificates URIs are used as parameters and syncs based on user-defined time intervals AKV Extension background service request for a Managed Identity token in order to retrieve certificates AKV Extension background service retrieve AKV certificates based on interval specified in the extension configuration Cert Store The certificates and private keys are stored in the local certificate store (Windows) or as files in a directory (Linux) App/Service (i.e. Web Server) The AKV agent will then sync down the new certificate and private key automatically at its next sync interval Upon renewal time, the certificates are renewed only in AKV (renewed PKI certs can be uploaded as well) 2a Admin deploy Azure Key Vault 1a 1b 2b 3a 3b 6 5 4 App/Service consumes local cert store certificate (as well rebind upon renewal)

43. Azure Arc対応サーバー接続の選択肢

44. Azure Arc-enabled servers Connectivity Options Azure VNET Azure Arc-enabled Server Azure Arc Service Public Endpoint Private Endpoint AzureArcInfrastructure Service tag Private Link Azure Express Route & Site-to-Site VPN Internet Proxy 1. Public endpoint via direct connection 2. Public endpoint via proxy server 3. Private endpoint over Express Route AAD ARM

45. Azure Arc-enabled servers - Private Link integration On-Premises & Multicloud servers Azure Virtual Network Azure Monitor Private Link Scope Azure Log Analytics Workspace Azure Log Analytics On-Premises / Multicloud Gateway (Proxy) Azure Monitor Private Link Endpoint Azure Automation Private Link Endpoint On-Premises / Multicloud Proxy Azure Arc Private Endpoint Azure Arc Private Link Scope Azure Arc-enabled servers Azure Arc metadata Guest config Extension downloads Azure Resource Manager Azure Active Directory On-Premises / Multicloud Firewall ARM Private Endpoint Service Tags Azure ExpressRoute / S2S VPN On-Premises / Multicloud network Connectivity via Azure Log Analytics Gateway Direct connectivity via internet Azure Automation accountt

46. Azure Arc対応サーバーアーキテクチャ詳細

47. Azure Arc-enabled servers Connected Machine Agent Azure Arc Connected Server (On-Premises, AWS EC2, etc.) Azure Arc Connected Machine Agent Hybrid Instance Metadata Service (HIMDS) Handles managed identity and metadata sync (heartbeats) Guest Configuration Provides In-Guest Policy and Guest Configuration functionality, such as assessing whether the machine complies with required policies Extension Manager Manages VM extensions, including install, uninstall, and upgrade MMA/AMA ASC Configuration passed to the Agent: • Subscription and resource group • Azure Region to store metadata • Network options (direct, proxy, or private link) • Credential to onboard (device login, AAD token, or SPN) Azure AD HTTPS/443 HTTPS/443 Azure Resource Manager (ARM) Hybrid Compute Resource Provider Log Analytics Azure Portal Az CLI Azure SDK REST API Azure Admin Authentication & Authorization Guest Configuration Resource Provider HTTPS/443 HTTPS/443 Custom Script

48. Azure Arc-enabled servers architecture Linux OS On-premises/other clouds Azure AD Hybrid Identity Service Azure Resource Manager (ARM) Log Analytics Workspace Hybrid Instance Metadata Service Azure Automation Azure Monitoring Azure Security Center Azure Sentinel HTTPS/443 Hybrid Compute Resource Provider Extension Manager Log Analytics Agent Custom Script DSC Microsoft Dependency Agent /opt/GC_Ext/downloads /var/lib/waagent/<extension> Guest Configuration /var/lib/GuestConfig Azure Arc Connected Machine Agent /var/opt/azcmagent/ /var/opt/azcmagent/tokens Guest Configuration Resource Provider System Administrator

49. Azure Arc-enabled servers architecture Windows OS On-premises/other clouds Azure AD Hybrid Identity Service Azure Resource Manager (ARM) Log Analytics Workspace Hybrid Instance Metadata Service System Administrator Azure Automation Azure Monitoring Azure Security Center Azure Sentinel Hybrid Compute Resource Provider Extension Manager Log Analytics Agent Custom Script DSC Microsoft Dependency Agent %SystemDrive%¥AzureConnectedMachineAgent¥ExtensionService¥downloads %SystemDrive%¥Packages¥Plugins¥<extension>> Guest Configuration %SystemDrive%¥Program Files¥ArcConnectedMachineAgent¥ExtensionService¥GC %ProgramData%¥GuestConfig Azure Arc Connected Machine Agent %ProgramFiles%¥AzureConnectedMachineAgent %ProgramData%¥AzureConnectedMachineAgent %ProgramData%¥AzureConnectedMachineAgent¥Tokens %ProgramData%¥AzureConnectedMachineAgent¥Config Guest Configuration Resource Provider HTTPS/443

50. Azure Arc-enabled servers – Identity and Access Management Connected Machine Agent Azure Resource Manager (ARM) Host Instance Metadata Service (HIMDS) managed identity credentials Guest Configuration Extension Service Guest Configuration Azure Arc Service Hybrid Compute Resource Provider Guest Configuration Resource Provider Log Analytics Workspace Guest configuration updates are managed using Azure token obtained with managed identity credentials Guest configuration Arc service is created and runs under Local System account Guest configuration extension service is created and runs under Local System account HIMDS service is created and runs under NT Service¥himds virtual account with least privileges Log data is ingested into Log Analytics workspace using Log Analytics workspace credentials Log Analytics Agent Custom Script Dependency Agent Extensions are created using Local System account privileges of extension service Hybrid agent extension applications local security group is created to authorize members to request Azure tokens through HIMDS service Extensions are managed using Azure token obtained with managed identity credentials Azure Arc-enabled server resource is created using service principal credentials Service Principal Managed Identity Azure AD User Azure Active Directory Managed Identity is created in Azure AD enterprise applications Azure Arc-connected server (On-Premises and/or Multicloud) Azure Admin Create service principal and a short-lived client secret with Azure admin Grant “Azure Connected Machine Onboarding” role for least privileged access Grant “Azure Connected Machine Resource Administrator” role to server admin for least privileged access Server Admin Login to Azure portal and generate server onboarding script Using RDP/SSH or automation tooling login to server with local admin rights Run server onboarding script by providing service principal and client secret Managed Identity credentials are stored in local storage using ACL 1a 1b 1c 2a 2b 2c 4 7 5 3a 3b 3c 3e 3d 3f 3g 6

51. Azure MigrateとAzure Arcの組み合わせ Azure MigrateアプライアンスでvSphere上のVM群をAzure Arcに一括登録

52. vSphere Infrastructure VMware Guest VMs vCenter Server Deploy Azure Migrate appliance for agentless VMware migrations and connect to vCenter Admin Admin Input Azure Arc onboarding details using the Appliance Configuration Manager The Azure Migrate appliance initiates remote sessions to each discovered guest VM Onboarding script is executed inside the guest VM to be onboarded as Azure Arc-enabled server Azure Arc-enabled servers onboarded and available to manage via the Azure portal 1 2 4 3 5 Azure Migrate + Azure Arc How it works

53. Azure Arc対応データサービスアーキテクチャ

54. Azure Arc-enabled data services architecture Node Node Node Node Node Node Azure Data Studio Microsoft Container Registry Database services (Future) Persistent storage Kubernetes Azure CLI kubectl CLI Kubernetes API Azure Arc data controller Backup Monitoring and logs Controller Azure Arc integration HA/DR Scaling Patching/updates Provisioning Resource Inventory Billing Logs & Metrics Backup Retention Deployments/Actions Advanced Data Security PostgreSQL Hyperscale SQL MI SQL MI w/ HA Analytics services (Future) Azure Portal

59. Azure Portal Azure REST API Azure CLI PowerShell User Interface Azure AD (RBAC) Azure Monitor Azure ARM Templates Azure Log Analytics Azure Tags Azure Defender Azure Resource Graph Azure Sentinel Azure Audit Azure Key Vault GitOps Configurations Azure Container Registry Azure Policy Azure Security Center Resource Inventory Billing Monitoring & Logs Secrets Management Governance Compliance & Security Azure Arc-enabled data services On-premises and multi-cloud integration Azure Azure Kubernetes Service (AKS) clusters Azure Arc-enabled Kubernetes clusters Azure Arc-enabled data services (SQLMI/PGHS) Azure Arc data controller Custom Location Mapping Kubernetes Resources K8s API Azure Stack HCI Azure Kubernetes Service (AKS) on Azure Stack HCI clusters Azure Arc-enabled Kubernetes clusters Azure Arc-enabled data services (SQLMI/PGHS) Azure Arc data controller Custom Location Mapping Kubernetes Resources K8s API VMware vSphere VMware Tanzu Grid (TKG) clusters Azure Arc-enabled Kubernetes clusters Azure Arc-enabled data services (SQLMI/PGHS) Azure Arc data controller Custom Location Mapping Kubernetes Resources K8s API Amazon Web Services Azure Arc-enabled Kubernetes clusters Azure Arc-enabled data services (SQLMI/PGHS) Azure Arc data controller Custom Location Mapping Kubernetes Resources Google Cloud Platform Azure Arc-enabled Kubernetes clusters Azure Arc-enabled data services (SQLMI/PGHS) Azure Arc data controller Custom Location Mapping Kubernetes Resources kubectl CLI api Google Kubernetes Engine (GKE) clusters K8s API Elastic Kubernetes Service (EKS) clusters K8s API Azure Data Studio Secrets Change Tracking Automanage Monitoring & Logs Extensibility Patching & Updates Threat Protection Azure Arc Integration

60. Azure Arc対応 VMware vSphere アーキテクチャ

61. Azure Arc-enabled VMware vSphere Architecture Microsoft Azure VM Templates Virtual Networks ESXi Host VMware vCenter Server Azure Arc Resource Bridge ESXi Host ESXi Host ESXi Host Azure Arc Resources ConnectedVMwareVSphere ARM Resource Provider Azure Arc-enabled VMware vSphere VMs resources Azure Arc vCenter Server resource Azure Arc VM Templates resource Azure Arc Virtual Networks resource Azure Resources On-Premises Data Center VMware vSphere Azure Resource Manager (ARM) Access and Security Governance & Compliance Organization & Inventory Environment & Automation Management Services – Monitor | Update | Backup and more

62. Azure Arc-enabled VMware vSphere Architecture Microsoft Azure VM Templates Virtual Networks ESXi Host VMware vCenter Server Azure Arc Resource Bridge ESXi Host ESXi Host ESXi Host Azure Arc Resources ConnectedVMwareVSphere ARM Resource Provider Azure Arc-enabled VMware vSphere VMs resources Azure Arc vCenter Server resource Azure Arc VM Templates resource Azure Arc Virtual Networks resource Azure Resources On-Premises Data Center VMware vSphere Azure Resource Manager (ARM) Access and Security Governance & Compliance Organization & Inventory Environment & Automation Management Services – Monitor | Update | Backup and more

63. Azure Stack HCI

64. AKS on Azure Stack HCI Architecture Azure Stack HCI Cluster Hyper-V vSwitch Physical HCI Nodes AKS-HCI Workload Cluster-01 (Azure Arc enabled Kubernetes) Kubernetes Workload Nodes & Applications Hyper-V VM-01 Hyper-V VM-02 Hyper-V VM-n User Applications Kubernetes Control Plane Hyper-V VM-03 System Services Hyper-V VM-02 Hyper-V VM-01 AKS-HCI Workload Cluster-n (Azure Arc enabled Kubernetes) Kubernetes Workload Nodes & Applications Hyper-V VM-01 Hyper-V VM-02 Hyper-V VM-n User Applications Kubernetes Control Plane Hyper-V VM-03 System Services Hyper-V VM-02 Hyper-V VM-01 AKS-HCI Management Cluster System Services Hyper-V VM-01

65. AKS on Azure Stack HCI using Azure VM (Nested Virtualization) Azure Resource Group Azure Kubernetes Service (AKS) on Azure Stack HCI Platform Services Kubernetes Management Cluster Kubernetes Workload Cluster Kubernetes Control Plane Hyper-V VM System Services & Containers Hyper-V VM System Services & Containers Kubernetes Worker Nodes Hyper-V VM System Services & Containers Hyper-V VM System Services & Containers Hyper-V VM System Services & Containers Hyper-V VM System Services & Containers Azure VM – AKSHCI Hyper-V Host Windows Server 2019 Datacenter with Hyper-V enabled (Nested Virtualization) Hyper-V vSwitch Azure Virtual Network

66. Azure Arc対応Kubernetes

67. Azure Arc-enabled Kubernetes Onboarding Azure AD On-Premises/Cloud Provider Kubernetes Cluster API Server etcd Save state/ Onboarding private key in k8s datastore 3b Cluster Metadata Operator Fetch cluster metadata and update custom resource 6a Resource Sync Operator Cluster Identity Operator Save the Azure Identity Certificate 5c Push cluster metadata (uses Managed Identity to authenticate eastus.dp.kubernetesconfiguration.com) 6b Azure Arc-enabled Kubernetes Data Plane Service Hybrid Identity Service Watch for updates in cluster metadata custom resource 6c Fetch connectedCluster Managed Identity certificate (uses onboarding private key to authenticate eus.his.azure.com) 5a Microsoft.Kubernetes Resource Provider (RP) Update cluster metadata 6d Send identity metadata 4 Managed Identity Service Fetch the identity certificate 5b Create Service Principal in AAD 3f Azure Resource Manager (ARM) PUT connectedCluster resource along with Managed Identity metadata 3g Create Managed Identity 3e Azure CLI Uses Helm to deploy Arc-enabled k8s agents with onboarding private key K8s Cluster Admin 3a az connectedk8s connect 1 PUT resource Microsoft.Kubernetes/connectedClusters with public key (management.azure.com) Microsoft Container Registry 3d Pull agent images 3c Fetch Helm chart 2

69. Azure Arc-enabled Kubernetes GitOps Flow Arc Connected Kubernetes Cluster GitOps Configurations git Repository Flux Operator + Helm Operator Application Changes git merge Flux pickup changes Application V1 (Desired State) Google Kubernetes Engine (GKE) Elastic Kubernetes Service (EKS) Rancher K3s Azure Kubernetes Service on HCI 1 2 3 4 Application Deployment 5 6 7 Application V2 (New Desired State) Application Rolling Update 8 Any Kubernetes, any Infrastructure

70. Azure Arc-enabled Kubernetes GitOps Configuration On-Premises/Cloud Provider Kubernetes Cluster Helm Release obj-x obj-y obj-z helmreleases CR release-a gitconfigs CR config-a Flux Operator Flux-Helm Operator controller- manager Watch gitconfig CRs Flux-logs agent Flux events sent to upstream service Create or update Flux Operator or Flux-Helm Operator 1 7 8 11 Config Agent Collect Status from Flux 12 Create gitconfigs CR 6 ns Namespace Git Repository YAML Files Helm Releases CRs Flux-Helm Operator watches helmreleases CRs, pulls Helm chart and creates Helm release 10 Flux watches Git repo, creates k8s resources based on raw YAML and helmreleases CRs 9 Azure Arc-enabled Kubernetes Dataplane Service GET Pending sourceControlConfiguration resources (uses Managed Identity to authenticate) 5 POST status for the Flux agents to be retrieved with resource GET 13 Microsoft.KubernetesConfiguration Resource Provider (RP) Azure Resource Manager (ARM) Store sourceControlConfiguration resource 4 PUT sourceControlConfiguration resource 3 PUT resource Microsoft.Kubernetes/connectedClusters/clusterName/providers/Microsoft.KubernetesConfiguration/sourceControlConfigurations/configName (uses ARM Extension Resource pattern) az k8s-configuration create 2 Azure CLI Admin

71. Azure Arc-enabled Kubernetes Cluster Azure AD Entity (User Account/Service Principal) API Server Guard api TokenAccessReview, SubjectAccessReview allowed/denied kubectl get pods If allowed, return list of pods allowed/denied checkAccess Owner Role assignment in Azure Azure Arc-enabled Kubernetes AAD RBAC (public preview)

72. Azure Arc-enabled Kubernetes Cluster Connect (public preview) Kubernetes Cluster Microsoft.Kubernetes Resource Provider (RP) listClusterUserCredentials Client-side proxy Dataplane Service Hybrid Connections Azure Resource Manager (ARM) Azure AD Entity (User Account/Service Principal) az connectedk8s proxy Cluster connect- agent API Server Customer Firewall heartbeat Customer Location (On-Premises/Cloud Provider) kube-aad- proxy

73. Azure Arc-enabled Kubernetes Cluster extensions (public preview) On-Premises/Cloud Provider Kubernetes Cluster obj-x obj-y obj-z extensionconfigs CR extension Helm Release extension-manager Watch extensionconfig CRs 1 8 Config Agent Collect Status 11 Create extensionconfig CR 7 ns Namespace Azure Arc-enabled Kubernetes Data Plane Service GET Pending extension resources (uses Managed Identity to authenticate) 5 POST extension status 12 Microsoft.KubernetesConfiguration Resource Provider (RP) Azure Resource Manager (ARM) Store extension resource 4 PUT extension resource 3 PUT resource Microsoft.Kubernetes/connectedClusters/clusterName/providers/Microsoft.KubernetesConfiguration/extensions/extensionName (uses ARM Extension Resource pattern) az k8s-extension create 2 Azure CLI Admin Azure Container Registry or Microsoft Container Registry GET version 6 9 Fetch Helm chart stored as OCI artifact 10 Install helm chart

74. Azure Arc-enabled Kubernetes Azure Monitor (public preview) Azure Arc-enabled Kubernetes Cluster node-1 pod-a pod-b pod-c pod-d oms-agent Collect metrics and logs node-2 pod-a pod-b pod-c pod-d oms-agent Collect metrics and logs node-n pod-a pod-b pod-c pod-d oms-agent Collect metrics and logs Azure Monitor for containers Workbooks Log Analytics Alerts Send metrics and logs

75. Azure Arc-enabled Kubernetes Microsoft Defender for Cloud Microsoft Defender for Cloud Log Analytics Send audit logs node-2 pod-c pod-d pod-e pod-f node-n pod-c pod-d pod-e pod-f pod-a pod-b pod-a pod-b Continuous discovery of Arc-enabled Kubernetes instances Actionable recommendations for security best practices Detect threats across multi cloud Kubernetes clusters using advanced analytics Control plane nodes node-1 azure-defender Audit logs Collect audit logs apiserver Worker nodes Azure Arc-enabled Kubernetes cluster 1 2 Admin

76. Azure Arc-enabled Kubernetes Open Service Mesh (Preview) Certificate manager Mesh Catalog Endpoints provider Mesh specification Proxy control plane Discovery service gRPC stream gRPC stream envoy application pod-1 Azure Arc-enabled Kubernetes cluster arc-osm-system namespace osm-controller pod osm-config ConfigMap osm-controller ValidatingWebhookConfiguration osm-injector MutatingWebhookConfiguration osm-injector Deployment osm-injector Service envoy application pod-2 SMI API apiserver

77. Azure Arc-enabled Kubernetes Cluster Calling entity API Server azure-policy-addon Fetch policy definitions & assignments & Report compliance Azure Policy Service Azure Arc-enabled Kubernetes Azure Policy (Gatekeeper) Gatekeeper OPA deploy create watch AdmissionReview request AdmissionReview response allowed: false kubectl apply –f privileged.yaml Denied Pod Deployment Service Ingress CRD Config PolicyTemplate CRD PolicyInstance CRD

78. アーキテクチャ図を描く方法

79. https://www.youtube.com/watch?v=QR-64mFqhf4

81. PPTのテクニック的な部分の抜粋 • コピーしてペーストするときに「貼り付け先のテーマを使用」と「元の書式を保持」では結果が異なる • Arcのdiagramでは「tenorite」フォントを使用している • フォントサイズは11を基本にしている • Boxのテンプレートの作り方 • 1つ作ればあとは書式のコピーと貼り付けが可能 This is a box

82. PPTのテクニック的な部分の抜粋 • 色数は少なく保つ • 文字の折り返しはきちんと意味のあるところで行う • アイコンは正しいものを使う • Azure ArcのdiagramのPPTのものを使用する • KubernetesのアイコンはGitHubにレポジトリがある • community/icons at master · kubernetes/community · GitHub • Azureも公式のアイコンセットがある(が、更新が遅い) • Azure icons - Azure Architecture Center | Microsoft Docs • アイコンに加えてVisioのステンシルまで公開、更新し続けている人 • GitHub - David-Summers/Azure-Design: My Azure stencil collection for Visio. Highly functional and always up to date. • 文字とアイコンのグループ化をうまく使う(ショートカットはCtrl-G)

83. PPTのテクニック的な部分の抜粋 • 文字とアイコンのグループ化をうまく使う(ショートカットは Ctrl-G、グループ化解除はCtrl-Shift-G) • ボックスの大きさはそろえたほうが良い。 • 一番文字数が多いものの高さと幅を「図形の書式」で確認しそろえる • 図形の間の距離もそろえる。PPTが教えてくれる。 Azure Active Directory Azure Active Directory Azure Active Directory

84. PPTのテクニック的な部分の抜粋 • アイコンの大きさもそろえる(高さと幅を確認、設定可能) • ボックスの中のアイコンの配置場所も意識する • 関係性を表すには矢印を使う • 1ptまでの太さを推奨 • 「作業順序」を矢印で書くのは良くない。サービス間の依存関係等を表すのが適切。 • 曲線は扱いが難しいので使わないほうが良い。 • 矢印の上に関係性を文字で記載するのは良い。 • 文字の配置は上下中央揃えがお勧め。 • 文字だけでなくアイコンも添えられるとなおよい。その時も極力周りのものと高さ等をそろえる。 • カギ線矢印を使う場合には、中間で曲げるのではなく、始点のすぐ近くで曲げる。 • 配置場所は極力そろえる、PowerPointのガイドを使う。

85. PPTのテクニック的な部分の抜粋 • 複数の図形を枠で囲うときには、内部の図形をまとめてグループ化しておくとよい。 • 配置するときにPowerPointのガイドが使える • 全体の配置を整えた後は、色を整える。 • アクションを記載するときにはその主語を明確にする • アニメーションで表現するときは0.3秒がお勧め • Jpegで保存する時等に高解像度でエクスポートすることが可能 • レジストリを変更する • PowerPoint から高解像度 (高dpi) スライドをエクスポートする方法 - Office | Microsoft Docs

86. Azure Arc diagrams 中々面白いので見てみてください！説明資料など作成時にもとても役立ちそうです！

87. ありがとうございました！

Azure Arcの様々なパターンを図で理解する！

More Related Content

What's hot (20)

Similar to Azure Arcの様々なパターンを図で理解する！ (20)

More from Masahiko Ebisuda (20)

Recently uploaded (20)

Azure Arcの様々なパターンを図で理解する！