Microsoft’s Azure Arc Offers Hybrid Cloud on Enterprise Terms

Microsoft is no newcomer to hybrid cloud but the announcement of Azure Arc makes its approach more coherent and comprehensive.

Arc is a way to use the Azure management, governance, policy, security and update tools to manage infrastructure in your own data center or in another cloud, whether that’s bare metal, VMs or Kubernetes. It brings the Azure Resource Manager control plane to resources that aren’t in the cloud, so you get the consistency of a single control plane, but without attempting to replace all the other tools in the ecosystem.

You can organize VMs using the same tags and apply the same policies based on those tags wherever they are. You can use the same Azure Resource Manager templates to apply role-based access control to VMs in AWS or GCP as on your own hardware, you can use Azure Security Center to encrypt file systems and Azure Automation to patch operating systems, and you can see logs from all those systems in Azure Monitor. And you can use those cloud management tools with all your existing infrastructure, wherever it is; if you can connect to a Windows Server or Linux OS instance, you can use the Azure cloud tools to manage it.

Arc lets you run the applications you already have on those VMs and Kubernetes clusters, or roll out new applications that have been packaged to deploy onto Kubernetes. You can also deploy the SQL Azure Database service and the managed PostgreSQL Hyperscale service from Azure on your infrastructure. That’s a database service that’s managed and updated by Microsoft as if it was running in the cloud. You pay for it as a cloud service, but you get it on your own infrastructure, in your own data centers.
So if data gravity or data sovereignty, or simply the amount you’ve invested in hardware, make the public cloud a difficult choice, you can still get cloud management and a cloud database service — which is what enterprises with data centers have been asking for since public cloud became popular.

Cloud but on Your Servers

“Historically, we talked about hybrid as data center to cloud,” Azure corporate vice president Julia White told The New Stack. “Increasingly we’re seeing multicloud become a regular thing, as well as connected devices, so applications are being run across everything from IoT devices to multiple clouds, to data centers.”

But that flexibility can get very complex. “As we think about the control plane and the consistency across all of your environments, applications being run in multiple different ways across each of the environments is going to be expensive and complicated. Just having a single place to organize it is valuable, but with Azure Arc we also provide the governance across multiple environments.”

The VM management service with Azure Arc is in public preview; the Kubernetes management service is in private preview, as are the two managed data services.

Image courtesy of Microsoft.

Microsoft does plan to bring more cloud services to Azure Arc beyond these database services so you can expect things like Azure Functions for serverless computing. But it won’t be the full range of Azure services and probably not all the Azure services that are already available on Azure Stack Hub, Microsoft’s original hybrid cloud appliance.

“As we move forward, we’ll look at what are the logical roles that people are going to want to be running in a distributed fashion,” White said. “Data was a very obvious one, so that’s a good place to start. It doesn’t mean every PaaS service Azure has makes sense to run in a distributed fashion, so we won’t just start bringing different services down. But there are services that seem very obvious and I expect you to see us moving quickly in terms of the next class of services that this enables.”

She also expects it to appeal to software vendors who want to sell cloud native applications to enterprises that won’t run them in the cloud. “If their application runs in Azure, but they’re not able to address the on-premises use cases today, using Azure Arc they could run their application on-premises as well.”

What Arc Doesn’t Do

To understand how Arc fits into enterprise infrastructure — on your own hardware or in multiple clouds — it’s useful to know what it doesn’t do. It doesn’t provision VMs, or handle lifecycle management for them: you still do that with whatever tools you were using for VM provisioning and server admin before, whether that’s vSphere or System Center or the new Windows Admin Center or the AWS APIs. It doesn’t provision Kubernetes either; again, you use your existing infrastructure tools — and your existing infrastructure.

You get unified billing for the Azure control plane that delivers policy to your infrastructure, even if that’s on another cloud, but just as Azure Arc doesn’t take over the provisioning of VMs on other clouds, it won’t show you the costs of that infrastructure.
On servers and VMs, on your own infrastructure or in a non-Microsoft cloud, you deploy an agent that also runs an instance of the Azure Instance MetaData Service, a REST endpoint that projects the resource ID of the device into the cloud. For Kubernetes, you can install the agent with a Helm gesture that connects the cluster to your Azure subscription and resource group, and creates a connector cluster resource.

Image courtesy of Microsoft.

If you’re using GitOps to have a repo that’s the single source of truth for configuration and application deployment, you can use Arc policies to have your Kubernetes clusters monitor the repo, to download and apply the manifests and code that cluster admins and developers check-in. But if you have a cluster that’s only intermittently connected to the internet, you can still manage it from Arc, pushing policy to set it up and then running disconnected.

Arc isn’t trying to be the only tool you use, Azure general manager Arpan Shah told us. “We want to provide governance while at the same time allowing people to use the tools they’re used to. So for Kubernetes, you can use the Kubernetes control plane, you can use the command line tools, all the native tools there.”

Instead, it’s about not having to use multiple tools just to have the same settings in cloud and your data centers. “With policy in Arc, you’re able to drive consistency in terms of ‘do my servers have certificates that are not expiring? Do I have passwords that are not expiring? Is port 3443 open for TCP on all my servers?” Arc pushes the policy, monitors for compliance and gives you both alerts and remediation options in the Azure portal, wherever the infrastructure is.

Arc isn’t something you buy with new hardware, unlike the hyperconverged Azure Stack Hub or AWS Outposts appliances. White says that Microsoft is working quite closely with VMware “to make sure there’s a good integration experience with the virtualization layer” for Arc but you’re not limited to using vSphere (which is the only choice on Outposts if you don’t want to use the AWS APIs).

Arc isn’t a Kubernetes appliance like Anthos which is Google’s attempt to take back control of the Kubernetes enterprise stack, complete with Istio and Knative for service mesh and serverless, although it does share the idea of managing cloud and on-premises clusters through the same control plane.

VMware’s Tanzu and Project Pacific also focus just on Kubernetes for applications on vSphere and on giving vSphere admins a way to manage Containers and VMs within the same ESXi platform using Kubernetes Custom Resource Definitions (CRDs); again, that’s at a different level from the Azure Arc control plane which lets admins use ARM templates and policy constructs to apply the same governance to cloud and data center systems (and VMware doesn’t have cloud services to run on-prem the way Azure does). The two control planes are likely to coexist and it’s even possible that Microsoft and VMware could allow them to interoperate (following on from co-operations like Azure VMware Solutions).

Arc isn’t a Microsoft Kubernetes distribution either; you’re not getting a version of AKS that runs on your hardware, and if you want to buy hardware that gives you Kubernetes as a service from Microsoft, you’d use Azure Stack Hub. Instead, Arc works with any CNCF-certified distribution you’ve chosen, including managed Kubernetes services, and you continue to manage that Kubernetes infrastructure.

Arc is also different from Azure Stack Edge, which is another Microsoft managed appliance (available in a range of different form factors including a rugged model you can throw in a backpack); that runs containers and you can manage them from AKS, but it doesn’t actually run Kubernetes.

The reason Microsoft now has three options for hybrid cloud is that as fast as Kubernetes is growing, it doesn’t cover everything that customers do, Shah points out. “We don’t believe it’s just about containers: The world has bare metal servers, it has VMs and it has containers, and we’re seeing a good mix of those on-premises and in the cloud. So with Arc, we support all of those. We layer in services: being able to run Azure Data Services wherever you want on a Kubernetes environment is pretty powerful. If a customer has an application they need, whether it’s for compliance, whether it’s for latency or just legacy reasons, they’re able to take advantage of all this cloud innovation wherever they want, on any Kubernetes distribution. You get cloud billing, you get the latest bits, you get patching, you get security.”

With Azure Arc, hybrid doesn’t just mean combining cloud and your own data centers; it also unifies the way you work with traditional VMs — which are not going away in the enterprise world — and newer containerized workloads on the increasingly ubiquitous but also fragmented Kubernetes. Enterprises don’t have to abandon any of the infrastructure they’ve invested in and they can move at their own pace.

That extra flexibility does mean more complexity; you’re still responsible for running your own infrastructure and you’ll have to be clear about which management is done through Arc and which through existing operations tools. But you can make that decision and only have to set policy once. This is very much hybrid cloud on the terms that enterprises have been asking for.

VMware is a sponsor of The New Stack.

Feature image via Pixabay.