In this post I want to show step by step how you can onboard your on-premise VMware vSphere infrastructure to Azure by using Azure Arc-enabled VMware vSphere.

When onboarding the on-premise VMware vSphere infrastructure to Azure Arc-enabled VMware vSphere, you are able to install the Arc agent at scale and therefore to simplify onboarding the entire VMware vSphere estate to various Azure services like Microsoft Defender for Cloud, Azure Monitor, Azure Update Manager, and Azure Policy.

Azure Arc-enabled VMware vSphere is an Azure Arc service that helps you simplify management of hybrid IT estate distributed across VMware vSphere and Azure. It does so by extending the Azure control plane to VMware vSphere infrastructure and enabling the use of Azure security, governance, and management capabilities consistently across VMware vSphere and Azure.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview


As mentioned you also need to onboard your on-premise machines to Azure Arc in case you want to protect them by using Microsoft Defender for Cloud resp. Microsoft Defender for Servers. More about how to onboard them to Microsoft Defender for Servers you will find in my following post.

How to onboard on-premise Servers to Microsoft Defender for Servers



Table Of Contents
  1. Introduction
  2. Connect VMware vCenter Server to Azure Arc
  3. Links


Introduction

Arc-enabled VMware vSphere allows you to:

  • Discover your VMware vSphere estate (VMs, templates, networks, datastores, clusters/hosts/resource pools) and register resources with Arc at scale.
  • Perform various virtual machine (VM) operations directly from Azure, such as create, resize, delete, and power cycle operations such as start/stop/restart on VMware VMs consistently with Azure.
  • Empower developers and application teams to self-serve VM operations on-demand using Azure role-based access control (RBAC).
  • Install the Arc-connected machine agent at scale on VMware VMs to govern, protect, configure, and monitor them.
  • Browse your VMware vSphere resources (VMs, templates, networks, and storage) in Azure, providing you with a single pane view for your infrastructure across both environments.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview


There are several different ways you can connect your existing Windows and Linux machines to Azure Arc:

  • Azure Arc-enabled servers
  • Azure Arc-enabled VMware vSphere
  • Azure Arc-enabled System Center Virtual Machine Manager (SCVMM)
  • Azure Stack HCI

For more information regarding the different services Azure Arc offers, see Choosing the right Azure Arc service for machines.



Arc-enabled VMware vSphere vs. Arc-enabled Servers

  • Azure Arc-enabled servers interact on the guest operating system level, with no awareness of the underlying infrastructure fabric and the virtualization platform that they’re running on. Since Arc-enabled servers also support bare-metal machines, there can, in fact, not even be a host hypervisor in some cases.
  • Azure Arc-enabled VMware vSphere is a superset of Arc-enabled servers that extends management capabilities beyond the guest operating system to the VM itself. This provides lifecycle management and CRUD (Create, Read, Update, and Delete) operations on a VMware vSphere VM. These lifecycle management capabilities are exposed in the Azure portal and look and feel just like a regular Azure VM. Azure Arc-enabled VMware vSphere also provides guest operating system management—in fact, it uses the same components as Azure Arc-enabled servers.

You have the flexibility to start with either option, and incorporate the other one later without any disruption. With both the options, you enjoy the same consistent experience.

Azure Arc-enabled VMware vSphere supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, we don’t recommend you to use Arc-enabled VMware vSphere with it at this point.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview#how-is-arc-enabled-vmware-vsphere-different-from-arc-enabled-servers




Connect VMware vCenter Server to Azure Arc

To onboard our VMware vSphere infrastructure to Azure Arc we first need to deploy the Azure Arc resource bridge in our vSphere environment.

Azure Arc resource bridge is a virtual appliance that hosts the components that communicate with your vCenter Server and Azure.

When a VMware vCenter Server is connected to Azure, an automatic discovery of the inventory of vSphere resources is performed. This inventory data is continuously kept in sync with the vCenter Server.

All guest OS-based capabilities are provided by enabling guest management (installing the Arc agent) on the VMs. Once guest management is enabled, VM extensions can be installed to use the Azure management capabilities. You can perform virtual hardware operations such as resizing, deleting, adding disks, and power cycling without guest management enabled.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview#how-does-it-work


To deploy the Azure Arc resource bridge we need the following prerequisites.

  • An Azure subscription.
  • A resource group in the subscription where you have the OwnerContributor, or Azure Arc VMware Private Clouds Onboarding role for onboarding.
  • Azure Arc resource bridge IP needs access to the URLs listed here.
  • vCenter Server version 7 or 8.
  • A virtual network that can provide internet access, directly or through a proxy. It must also be possible for VMs on this network to communicate with the vCenter server on TCP port (usually 443).
  • At least three free static IP addresses on the above network.
  • A resource pool or a cluster with a minimum capacity of 16 GB of RAM and four vCPUs.
  • A datastore with a minimum of 200 GB of free disk space available through the resource pool or cluster.
  • vSphere account that can read all inventory.
  • vSphere account that can deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.


As part of the Azure Arc-enabled VMware onboarding script, you will be prompted to provide a vSphere account to deploy the Azure Arc resouce bridge VM on the ESXi host. This account will be stored locally within the Azure Arc resource bridge VM and encrypted as a Kubernetes secret at rest. The vSphere account allows Azure Arc-enabled VMware to interact with VMware vSphere. If your organization practices routine credential rotation, you must update the credentials in Azure Arc-enabled VMware to maintain the connection between Azure Arc-enabled VMware and VMware vSphere.


You need a Windows or Linux machine that can access both your vCenter Server instance and the internet, directly or through a proxy. The workstation must also have outbound network connectivity to the ESXi host backing the datastore. Datastore connectivity is needed for uploading the Arc resource bridge image to the datastore as part of the onboarding.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script



Deploy the Azure Arc resource bridge in vSphere

On your vCenter first create a resource pool with a reservation of at least 16 GB of RAM and four vCPUs. It should also have access to a datastore with at least 100 GB of free disk space. Ensure that the vSphere accounts have the appropriate permissions.

In the Azure portal search for Azure Arc and select it.


Within Azure Arc select on the left menu VMware vCenters.


To install the Azure Arc resource bridge in our vSphere environment we can use a helper script. Therefore we need to select below Create a new resource bridge which will generate a script that deploys a new resource bridge in our on-premises vCenter Server.


Below enter the name for the resource bridge and select a subscription in which we want to create it. Further we need to select a region and provide a custom location and vCenter name. This name we will see when we later deploy VMs from Azure in vSphere. Name it for the datacenter or the physical location of your datacenter.

Leave Use the same subscription and resource group as your resource bridge selected.


Optional we can also assign Azure tags to our resources.


If your subscription isn’t registered with all the required resource providers, a Register button will appear. Click on Register.


This will take a few minutes to complete.


Download and run script.

Based on the operating system of your workstation, download the PowerShell or Bash script and copy it to the workstation.


Below I will use a Windows workstation and therefore the PowerShell script.

Now we need to open PowerShell on a local machine (my workstation) that has access to both, vCenter and Azure, then enter the script we downloaded previously.

As the script runs, you’ll be asked for your Azure and vCenter credentials in addition to other onboarding details.

Run the following command to allow the script to run, because it’s an unsigned script. (If you close the session before you complete all the steps, run this command again for the new session.)

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass


Finally run the script by enter:

./resource-bridge-onboarding-script.ps1



About all inputs you need to enter during execution of the script, you will see here all prompted details https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script#inputs-for-the-script.





Finally the Azure Arc resource bridge (virtual appliance) is created successfully in my vSphere environment and also connected to Azure.


In the Azure portal under Home -> Azure Arc -> VMware vCenters we can check the status or our Azure Arc resource bridge (virtual appliance) to see if it is successfully connected to Azure Arc.


Here you can see the above deployed Arc resource bridge (virtual appliance) running in my on-premise vSphere environment.



Enable VMware vCenter Resources in Azure

After we’ve connected our VMware vCenter to Azure, we can browse our vCenter inventory from the Azure portal as shown below.

Visit the VMware vCenter blade in Azure Arc center to view all the connected vCenters. From there, you’ll browse your virtual machines (VMs), resource pools, templates, and networks. From the inventory of your vCenter resources, you can select and enable one or more resources in Azure. When you enable a vCenter resource in Azure, it creates an Azure resource that represents your vCenter resource. You can use this Azure resource to assign permissions or conduct management operations.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/browse-and-enable-vcenter-resources-in-azure


All virtual machines running on-premise in vSphere.


All resource pools, clusters and hosts in vSphere.


All datastores in my on-premis vSphere environment.



We can now enable our existing virtual machines running in our on-premise vSphere environment in Azure in order to onboard them to various Azure services like Microsoft Defender for Cloud, Azure Monitor, Azure Update Manager, and Azure Policy.

Enabling Azure Arc on a VMware vSphere resource is a read-only operation on vCenter. That is, it doesn’t make changes to your resource in vCenter.

To enable VM templates, VMware tools must be installed on them. If not installed, the Enable in Azure option will be grayed out.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/browse-and-enable-vcenter-resources-in-azure#enable-resource-pools-clusters-hosts-datastores-networks-and-vm-templates-in-azure


To enable existing virtual machines running in our on-premise vSphere environment in Azure, we can browse to the vCenter blade in the Azure portal and select the virtual machines menu as shown below.


Navigate to the VM inventory resource blade, select the VMs you want to enable, and then select Enable in Azure.

Below for example I want to enable my on-premise virtual machine named W2K22-SRV01 in Azure.


Select your Azure Subscription and Resource Group.

Optional enable guest management and install the Azure Arc connected machine agent.

The guest agent is the Azure Arc connected machine agent. You can install this agent later by selecting the VM in the VM inventory view on your vCenter and selecting Enable guest management. For information on the prerequisites of enabling guest management, see Manage VMware VMs through Arc-enabled VMware vSphere.

Source: https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/browse-and-enable-vcenter-resources-in-azure#enable-existing-virtual-machines-in-azure


I will also directly enable guest management for my virtual machine.



From now on you can see that my enabled virtual machine appears as link below where we can click on to manage the virtual machine in the Azure portal.



On the virtual machine itself we can see that the Azure Connected Machine Agent was installed previously.


Further there is an additional windows service name Azure Arc Proxy which acts as a forward proxy used by the Azure arc agents and extensions.



From now on we can perform VM operations on VMware VMs through Azure. More about you will find here https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/perform-vm-ops-through-azure.

Further we can now onboard these virtual machines to various Azure services like Microsoft Defender for Cloud, Azure Monitor, Azure Update Manager, and Azure Policy.





Links

Enable your VMware vCenter resources in Azure
https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/browse-and-enable-vcenter-resources-in-azure

What is Azure Arc-enabled VMware vSphere?
https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/overview

Features On Demand
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-v2–capabilities?view=windows-11

Connect hybrid machines to Azure using a deployment script
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

Enable additional capabilities on Arc-enabled Server machines by linking to vCenter
https://learn.microsoft.com/en-us/azure/azure-arc/vmware-vsphere/enable-virtual-hardware