Last year, I blogged about how to use Red Hat Ansible Automation Platform to migrate Azure Arc-enabled servers from Azure Log Analytics Agents (MMA/OMS) to Azure Monitor Agent (AMA).  Azure Arc supports a number of other extensions that can add additional value to your Arc-enabled infrastructure.  Since my previous article, all of these extensions have been added to the azure.infrastructure_config_demos collection that contains a role for managing Arc-enabled server VM extensions with Ansible.

Each extension offers unique capabilities to your Arc-enabled fleet, such as logging, vulnerability scanning, key vault cert sync, update management, and more.  Enabling these extensions is simple for small numbers of machines. When you need to scale out the work of enabling and configuring these extensions across hundreds or thousands of devices, then Ansible Automation Platform can help!

This article covers how to use Ansible Automation Platform to enable VM extensions supported in the azure.infrastructure_config_demos collection.  Within the collection, there are a number of playbooks and roles; the following are pertinent to this post.

File or Folder	Description
playbook_enable_arc_extension.yml	Playbook that will be used as a job template to enable Azure Arc extensions.
playbook_disable_arc_extension.yml	Playbook that will be used as a job template to disable Azure Arc extensions.
roles/arc	Ansible role that contains the reusable automation leveraged by the playbooks.

The examples in this blog target Linux hosts.

 

Prerequisites

Azure Arc

Ensure that you have followed Microsoft’s instructions to enable your subscription for Azure Arc extensions.

Ensure that the Azure Connected Machine agent is installed on the machines that you intend to deploy the Microsoft Defender Extension (MDE) extension to.  This article does not cover installation of the Connected Machine agent, but you may review my previous article that covers using this same collection to onboard servers to Azure Arc.

 

Automation controller

This post assumes that you are using Ansible Automation Platform 2.x.  This blog is applicable to both self-managed Ansible Automation Platform and Red Hat Ansible Automation Platform on Microsoft Azure.

 

Automation execution environment

In order to leverage the examples in this article, you will need an automation execution environment with both the Azure Collection and the Azure CLI installed since both are used in running the automation.

If you do not have an automation execution environment that meets the requirements, then you may use this example.  You may also use the following execution environment, as it does include both the Azure collection, and the Azure CLI.   quay.io/scottharwell/cloud-ee:latest

Building and configuring automation execution environments is outside the scope of this article, but there is other content specifically devoted to that topic.

 

Azure Resource Manager credential

You will need to have a working account credential configured in Ansible Automation Platform for the Azure Resource Manager.  Your credential is what is used by Ansible Automation Platform to authenticate operations using the Azure Collection and the Azure CLI.

 

Configuring the Content

To use azure.infrastructure_config_demos in automation controller, set up a project with the repository using the following steps.

 

Create a Project

1. Login to automation controller.
2. Click “Projects” from the left menu.
3. Click “Add”.
4. Fill out the form as follows:
1. Name: Content Lab – Azure Infrastructure Configuration Collection
2. Automation execution environment: <Select the execution environment with the Azure Collection and CLI installed>
3. Source Control Type: Git
4. Source Control URL: https://github.com/ansible-content-lab/azure.infrastructure_config_demos.git
5. Click “Save”.

Once you save the project, then it should be synchronized with automation controller.

 

Create job templates

The project that you created from the azure.infrastructure_config_demos collection contains example playbooks that implement the reusable content implemented in roles.  You may learn more about the individual roles in the collection by viewing the README.md file included with the collection.  Within the collection, the following mapping has been performed to make it easy to identify which extension you want to enable.

 

Extension	Extension Variable Name
Microsoft Defender for Cloud integrated vulnerability scanner	microsoft_defender
Custom Script extension	custom_script
Log Analytics agent	log_analytics_agent
Azure Monitor for VMs (insights)	azure_monitor_for_vms
Azure Key Vault Certificate Sync	azure_key_vault
Azure Monitor Agent	azure_monitor_agent
Azure Automation Hybrid Runbook Worker extension	azure_hybrid_runbook

The following templates need to be created in order to enable or disable Azure Arc-enabled server VM extensions. Note, that there are additional VM extensions not included in this collection outlined at VM extension management with Azure Arc-enabled servers.

 

Enable Arc VM Extensions

This playbook is responsible for enabling an Azure Arc-enabled server VM extension on the hosts that you identify.  Azure Arc only supports enabling or disabling a single extension at a time, and this process can take a while.  If you attempt to enable or disable another VM extension with this job template prior to Azure completing this process, then the template will report an error.

Once the job template has run, it may take minutes to hours for each machine to report that the extension is operational.  Once the extension is operational, then this job template can be run again with another extension and will not report an error.

Follow these steps to create the job template.

1. Click “Templates” on the right menu.
2. Click the “Add” button.
3. Select “Add job template”.
4. Fill out the following fields:
1. Name: Content Lab – Enable Arc Extension
2. Job Type: Run
3. Inventory: localhost
4. Project: Content Lab – Azure Infrastructure Configuration Collection
5. Playbook: playbook_enable_arc_extension.yml
6. Credentials:
1. <Your Azure Resource Manager Credential>

Variables:

---
resource_group: <your_resource_group>
region: <your_region>
arc_hosts:
<first_arc_host>
<second_arc_host>
extension: microsoft_defender

Note: Change the resource group and arc_hosts to match the names of your Azure resources.  If you have a large number of arc-hosts, then you can use Jinja2 formatting to extract the list from your inventory sources.

1. Check the “Prompt on launch” checkbox for Variables so that you can change the extension at run time.
2. Click “Save”.

 

Disable Arc VM Extensions

This playbook is responsible for disabling an Azure Arc extension on the hosts that you identify.  Azure Arc only supports enabling or disabling a single extension at a time, and this process can take a while.  If you attempt to enable or disable another extension with this job template prior to Azure completing this process, then the template will report an error.

Once the job template has run, it may take minutes to hours for each machine to report that the extension has been removed.  Once the extension is disabled, then this job template can be run again with another extension and will not report an error.

Follow these steps to create the job template.

1. Click “Templates” on the right menu.
2. Click the “Add” button.
3. Select “Add job template”.
4. Fill out the following fields:
1. Name: Content Lab – Disable Arc Extension
2. Job Type: Run
3. Inventory: localhost
4. Project: Content Lab – Azure Infrastructure Configuration Collection
5. Playbook: playbook_enable_arc_extension.yml
6. Credentials:
1. <Your Azure Resource Manager Credential>

Variables:

---
resource_group: <your_resource_group>
region: <your_region>
arc_hosts:
<first_arc_host>
<second_arc_host>
extension: microsoft_defender

Note: Change the resource group and arc_hosts to match the names of your Azure resources.  If you have a large number of arc-hosts, then you can use Jinja2 formatting to extract the list from your inventory sources.

1. Check the “Prompt on launch” checkbox for variables so that you can change the extension at run time.
2. Click “Save”.
   

 

Running the Automation

Now that you have the job templates created, you can enable or disable Arc extensions by simply changing the name of the extension variable.  The Azure Arc extensions are mapped in the “arc” role in the file at this link.

When you click the “launch” 🚀 icon, the job template will ask you to confirm that the variables are accurate.  To enable the Microsoft Defender extension, ensure that the extension parameter is set to microsoft_defender.  Use the table above to map the extension variable name to the Azure Arc extension that you wish to deploy.  Then, click “Next” and then “Launch” to start the job template.

If no errors are reported, then the Microsoft Defender extension will be enabled and active after a short period of time on these servers.  You can monitor the progress of each extension through the Azure portal.

Next, enable other Azure Arc-enabled server VM extensions using the same role!  You simply need to change the extension variable to enable a different extension.  Similarly, you can use the Disable Arc Extension job template that you created in order to disable an extension that you no longer require.

 

Conclusion

After following the steps in this post, you have created a job template that can enable Azure Arc extensions on your fleet of Arc-enabled Linux servers.  This example took advantage of content from the Ansible Content Lab for Cloud Automation to make implementation fast and easy.  You may submit content ideas to the Ansible Content Lab for Cloud Content here.