Azure Connected Machine Agent Overview and Deployment Options

The Azure Connected Machine Agent is a powerful tool that allows you to manage and monitor your IoT devices in the cloud. It's a lightweight agent that can be deployed on a wide range of devices, from industrial sensors to commercial equipment.

The agent is designed to be highly scalable and flexible, making it easy to integrate with your existing infrastructure. It supports a variety of protocols, including HTTP, HTTPS, and MQTT.

To get started with the Azure Connected Machine Agent, you'll need to decide on a deployment option. You can choose from a variety of methods, including Azure IoT Hub, Azure Device Provisioning Service, and Azure Automation.

Installing the Azure Connected Machine Agent is a straightforward process that requires a few steps. You can download the Windows agent from the Microsoft Download Center as a Windows Installer package (MSI).

The installation process creates several system-wide configuration changes, including folders like %ProgramFiles%\AzureConnectedMachineAgent, where the azcmagent CLI and instance metadata service executables are stored. The installation also creates the following folders: %ProgramFiles%\AzureConnectedMachineAgent\ExtensionService2\GC, %ProgramFiles%\AzureConnectedMachineAgent\GCArcService2\GC, %ProgramData%\AzureConnectedMachineAgent, and %ProgramData%\GuestConfig.

Installing the agent creates several Windows services, including the Azure Hybrid Instance Metadata Service (himds), Guest configuration Arc Service (GCArcService), and Guest configuration Extension Service (ExtensionService). These services are responsible for synchronizing metadata with Azure, auditing and enforcing Azure guest configuration policies, and installing, updating, and managing extensions on the machine.

The installation process also creates a virtual service account called NT SERVICE\himds, which requires the "Log on as a service" right. This right is automatically granted during agent installation, but you might need to adjust your Group Policy Object to grant the right to "NT SERVICE\himds" or "NT SERVICE\ALL SERVICES" to allow the agent to function.

The installation creates the following local security group: Hybrid agent extension applications, which allows members to request Microsoft Entra tokens for the system-assigned managed identity. The installation also sets several environment variables, including IDENTITY_ENDPOINT and IMDS_ENDPOINT.

Here is a summary of the system-wide configuration changes made by the installation process:

For Linux, the installation process creates the following installation folders: /opt/azcmagent/, /opt/GC_Ext/, /opt/GC_Service/, /var/opt/azcmagent/, and /var/lib/GuestConfig/. The installation also creates the following daemons: himdsd.service, gcad.service, and extd.service.

The Azure Connected Machine agent is a bundle of logical components that work together to manage your machine's connection to Azure and identity. The agent package contains several key components, including the Hybrid Instance Metadata service (HIMDS) and the Extension agent.

The HIMDS manages the connection to Azure and the machine's Azure identity, while the Extension agent is responsible for managing VM extensions, including installation, uninstallation, and upgrades.

The Extension agent downloads extensions to the %SystemDrive%\%ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\downloads folder on Windows, and to /opt/GC_Ext/downloads on Linux.

The Azure Connected Machine agent package is made up of several logical components that work together seamlessly. These components include the Hybrid Instance Metadata service (HIMDS), which manages the connection to Azure and the connected machine's Azure identity.

The HIMDS is a crucial part of the agent package, ensuring that your machine is properly connected to Azure and recognized as a connected machine.

The guest configuration agent provides functionality such as assessing whether the machine complies with required policies and enforcing compliance.

Note that Azure Policy guest configuration behaves differently for a disconnected machine.

The Extension agent manages VM extensions, including install, uninstall, and upgrade. This agent is responsible for downloading and installing extensions on your machine.

Here are the key components of the Azure Connected Machine agent package:

It's worth noting that the Azure Monitor agent (AMA) is a separate agent that collects monitoring data, and it does not replace the Connected Machine agent.

The Azure Connected Machine agent relies on various resources to function properly.

The Azure Connected Machine agent uses a specific set of directories and user accounts.

The directories used by the agent include those that store configuration files, logs, and other data.

The user accounts used by the agent are crucial for its operation and management.

These resources are essential for the agent's ability to connect and manage machines in Azure.

Urls are a crucial component of the Connected Machine agent, and it's essential to have the right ones available. Azure Cloud, Azure Government, and Microsoft Azure operated by 21Vianet are the URLs that must be accessible.

To configure the Azure connected machine agent to communicate with Azure through a private link, some endpoints still need to be accessed through the internet. The Private link capable column in the table below shows which endpoints can be configured with a private endpoint.

Some endpoints may change periodically, and it's essential to keep track of these changes. To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, the East US 2 region has a region name of eastus2.

To install the Connected Machine agent for Linux, you'll need to download the preferred package format (.rpm or .deb) from the Microsoft package repository. This will create several installation folders, including /opt/azcmagent/, /opt/GC_Ext/, /opt/GC_Service/, /var/opt/azcmagent/, and /var/lib/GuestConfig/.

The agent installation also creates several daemons, such as the Azure Connected Machine Agent Service (himdsd.service), the GC Arc Service (gcad.service), and the Extension Service (extd.service). These services implement the Hybrid Instance Metadata service (IMDS), audit and enforce Azure guest configuration policies, and install, update, and manage extensions on the machine.

To troubleshoot issues with the Connected Machine agent, you can refer to the log files located in /var/opt/azcmagent/log/ and /var/lib/GuestConfig/. Some of the key log files to check include himds.log, azcmagent.log, arc_policy_logs, ext_mgr_logs, and the extension_logs directory.

After uninstalling the Connected Machine agent, several artifacts remain, including the installation folders and log files.

Service is a crucial component when it comes to Azure Connected Machine (ACM) Agent connection issues. This is because the service is responsible for authentication and authorization.

The service principal secret is a critical piece of information that must be verified to ensure the agent can acquire an authorization token. If the secret is wrong or invalid, the agent will fail to acquire the token.

A proxy or firewall can block access to the login.windows.net endpoint, causing the agent to fail to acquire an authorization token. Running azcmagent check can help identify if a firewall is blocking access to Microsoft Entra ID.

The Azure Connected Machine Onboarding role is required for the agent to acquire an authorization token. If the credentials or permissions are incorrect, the agent will fail to acquire the token.

Here are some common errors related to service and their probable causes:

The Azure resource providers must be registered for the agent to connect to the ARM resource. If the subscription isn't registered, the agent will fail to connect. Registering the resource providers can resolve this issue.

Azure Arc is a crucial component of the Azure Connected Machine agent. It's responsible for aggregating network traffic from the agent services and any extensions you've installed.

The Azure Arc Proxy service is a key part of Azure Arc, deciding where to route that data. It runs as a Network Service on Windows and a standard user account (arcproxy) on Linux.

If you're using the Azure Arc gateway (Limited preview) to simplify your network endpoints, the Azure Arc Proxy service is the local component that forwards network requests via the Azure Arc gateway instead of the default route. It's disabled by default until you configure the agent to use the Azure Arc gateway.

The Azure Connected Machine agent is designed to manage agent and system resource consumption. It approaches resource governance under specific conditions, including the Machine Configuration service using up to 5% of the CPU to evaluate policies.

The extension service can use up to 5% of the CPU on Windows machines and 30% of the CPU on Linux machines to install, upgrade, run, and delete extensions. However, some extensions might apply more restrictive CPU limits once installed.

Here are the exceptions to the CPU limits for the extension service:

During normal operations, the agent consumes the following system resources: 0.07% CPU usage (normalized to 1 core) and 57 MB of memory on Windows, and 0.02% CPU usage and 42 MB of memory on Linux.

Azure Arc is a powerful tool for managing your network traffic. It's essentially a service that aggregates network traffic from various sources, including the Azure Connected Machine agent services and any extensions you've installed.

The Azure Arc Proxy service is a key component of Azure Arc, responsible for deciding where to route the aggregated network traffic. It's disabled by default until you configure the agent to use the Azure Arc gateway (Limited preview).

Azure Arc Proxy runs as a Network Service on Windows and a standard user account (arcproxy) on Linux. This allows it to forward network requests via the Azure Arc gateway instead of the default route.

If you're using the Azure Arc gateway to simplify your network endpoints, the Azure Arc Proxy service is the local component that makes it happen.

Azure Arc offers a wide range of supported cloud operations that allow you to manage your hybrid machines with ease. You can perform many operational functions, just as you would with native Azure virtual machines.

One of the key supported actions for connected machines is governance. This allows you to manage and enforce policies across your hybrid environment.

Protecting your machines is also a key supported action. This ensures that your data and applications are secure and protected from potential threats.

Configuration is another essential supported action. This enables you to customize and tailor your machines to meet your specific needs and requirements.

Monitoring is also a key supported action. This allows you to track and analyze your machine's performance, identify potential issues, and make data-driven decisions.

Here are the key supported actions for connected machines in a concise list: