Azure Arc (Hybrid and Multi-Cloud)
Not every organization runs entirely in Azure. Many have servers in on-premises data centers, some workloads on AWS or Google Cloud, and the rest in Azure. Managing all these environments separately with different tools creates complexity, inconsistency, and governance gaps. Azure Arc extends Azure's management, governance, and security capabilities to any infrastructure — anywhere in the world — making Azure the single control plane for the entire hybrid and multi-cloud estate.
What is Azure Arc?
Azure Arc projects non-Azure resources (on-premises servers, AWS VMs, GCP instances, Kubernetes clusters) into Azure as Azure resources. Once a resource is Arc-enabled, it appears in the Azure Portal, can be governed with Azure Policy, monitored with Azure Monitor, secured with Defender for Cloud, and managed with the same tools used for native Azure resources.
Azure Arc Overview Diagram
┌─────────────────────────────────────────────────────────────────┐
│ Azure Control Plane │
│ Azure Portal | Azure Policy | Azure Monitor | Defender | RBAC │
└───────────────────────────────┬─────────────────────────────────┘
│ Azure Arc
┌───────────────────┼──────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ On-Premises │ │ AWS │ │ Google Cloud │
│ Data Center │ │ │ │ │
│ ───────────── │ │ EC2 Instances │ │ GCE Instances │
│ Windows Servers │ │ EKS Clusters │ │ GKE Clusters │
│ Linux Servers │ │ │ │ │
│ VMware VMs │ └──────────────────┘ └──────────────────┘
│ Kubernetes │
└──────────────────┘
All managed through Azure as if they were native Azure resources
Azure Arc-Enabled Servers
Azure Arc-Enabled Servers allows managing Windows and Linux physical servers or VMs located anywhere (on-premises, AWS, GCP) through the Azure Portal and Azure APIs.
How It Works
- Install the Azure Connected Machine agent on the server. The agent is a lightweight service that establishes an outbound HTTPS connection to Azure — no inbound port changes needed.
- The server registers itself with Azure and appears as an Azure resource in the specified resource group.
- The server can now be managed using Azure tools — Azure Policy, Azure Monitor, Defender for Cloud, Log Analytics, Update Management, Automation, and Extensions.
Capabilities Unlocked for Arc-Enabled Servers
- Azure Policy: Enforce compliance policies on non-Azure servers — e.g., audit if required software is installed.
- Azure Monitor: Collect performance metrics and logs from on-premises servers in a central Log Analytics Workspace.
- Defender for Cloud: Extend threat detection and security recommendations to on-premises and multi-cloud servers.
- Update Management: Schedule and track OS updates across all servers regardless of location.
- VM Extensions: Install extensions like Log Analytics agent, Dependency agent, or Azure Monitor agent using the same mechanism as Azure VMs.
- Azure Automation: Run runbooks and configuration management (DSC) against non-Azure servers.
Azure Arc-Enabled Kubernetes
Azure Arc-Enabled Kubernetes allows attaching any Kubernetes cluster — running on-premises, in AWS (EKS), or Google Cloud (GKE) — to Azure for centralized management.
Capabilities
- GitOps: Deploy and manage Kubernetes workloads using GitOps — configuration is stored in Git, and Azure Arc continuously syncs the cluster state to match. No direct kubectl access to the cluster is needed.
- Azure Policy for Kubernetes: Enforce policies across all clusters — e.g., no privileged containers allowed, all containers must use images from approved registries.
- Azure Monitor Container Insights: View container performance metrics and logs from all clusters in one place.
- Defender for Containers: Extend threat detection to non-AKS Kubernetes clusters.
Azure Arc-Enabled Data Services
Azure Arc-Enabled Data Services allows running Azure data services — specifically Azure SQL Managed Instance and PostgreSQL Hyperscale — on any Kubernetes cluster, anywhere. This brings the cloud database experience (automated updates, elastic scaling, built-in HA) to on-premises or edge environments where data residency laws or latency requirements prevent using cloud databases.
Use Case Example
A bank in a country where banking data must remain on-premises can run Azure SQL Managed Instance on their own servers using Azure Arc, while still managing it through the Azure Portal with the same tools and policies used for cloud resources.
Azure Arc vs Azure Stack
| Product | Purpose | What It Does |
|---|---|---|
| Azure Arc | Extend Azure management to existing infrastructure | Brings Azure governance/security/monitoring to any server or Kubernetes cluster |
| Azure Stack Hub | Run Azure cloud services on-premises | An Azure-branded hardware appliance that runs Azure services (VMs, App Service, etc.) in a private data center |
| Azure Stack HCI | Hyper-converged infrastructure for VMs | On-premises virtualization platform that integrates with Azure for backup, monitoring, and DR |
| Azure Stack Edge | Edge computing appliance | Microsoft-managed hardware for running AI and data processing workloads at the network edge (factories, retail stores) |
Key Takeaways
- Azure Arc makes Azure the single control plane for servers, Kubernetes clusters, and data services running anywhere — on-premises, AWS, or GCP.
- Arc-Enabled Servers require only the Connected Machine agent — no inbound firewall changes — and unlock Azure Monitor, Policy, Defender, and Automation for any server.
- Arc-Enabled Kubernetes supports GitOps-based deployment and extends Azure Policy and monitoring to any Kubernetes cluster.
- Arc-Enabled Data Services brings Azure SQL Managed Instance and PostgreSQL to on-premises environments for data residency compliance.
- Azure Arc is about management extension; Azure Stack is about bringing full Azure cloud services to on-premises hardware.