While Azure Automate can run PowerShell and Python scripts to make the cloud workloads to automate I like to focus on the PowerShell side of things. With PowerShell, you have the ability to connect to connect to modules like Exchange Online, MSOL, Azure AD, Az Storage and etc. Similar to that you can use the automation runbooks to update patches on the Azure VMs, Restart VMs and to make sure the VMs are in the desired state configuration.
What are Hybrid Worker Groups?
Hybrid Worker Groups simply allows you to automate the on-premises workloads with the option of High Availability option if the workload is critical. The ability allows you to run the processes via the secure port 443 and it has the ability to install the hybrid worker server in AWS for an example.
The servers in a Hybrid Worker Group can be either Windows or Linux. I will be show casing on how to add Windows servers.
It is recommended to setup more than one hybrid worker servers in a Worker Group for High Availability. You can’t pick and choose which server in the Group will execute the runbook, but it will share the requests accordingly.
Azure Automation Pricing
As of today the pricing are 500 minutes per month free and $0.003/minute and for Watchers 744 hours free and $0.003/hour. More on pricing can be found in this link Pricing – Automation | Microsoft Azure
Before talk about the Hybrid Worker group, lets create the Azure Automation Account
Runbooks will have basically have your script, schedule etc.
Runbooks can be created from the scratch or from the Runbook gallery where it has PowerShell scripts from the community (GitHub)
Types of Hybrid Workers
Supports a set of hidden runbooks used by the Update Management feature that are designed to install user-specified updates on Windows and Linux machines. This type of Hybrid Runbook Worker is not a member of a Hybrid Runbook Worker group, and therefore doesn’t run runbooks that target a Runbook Worker group.
Supports user-defined runbooks intended to run directly on the Windows and Linux machine that are members of one or more Runbook Worker groups.
- Create the Azure Automation Account
- Prepare the Run As account
- Create the Azure Log Analytics Workspace
- Link the Azure Log Analytics Workspace to the Automation Account
- Install the Log Analytics Agent to the selected server (On-premises server)
- Register the server as a Runbook Worker
- Set the Run As account in the Hybrid Worker Group
- Create the Runbook
- Execute the Runbook
Create a Azure Automation Account
Add the “Automation” from the Azure Marketplace
Create the account and make sure you have Owner role assigned to the subscription that you planning to add the Automation Account
If you want to perform a cloud based automation task, you can add a module 1st from the module gallery and then call it from the Runbook.
Supported Windows operating system
- Windows Server 2019 (including Server Core)
- Windows Server 2016, version 1709 and 1803 (excluding Server Core)
- Windows Server 2012, 2012 R2
- Windows Server 2008 SP2 (x64), 2008 R2
- Windows 10 Enterprise (including multi-session) and Pro
- Windows 8 Enterprise and Pro
- Windows 7 SP1
Minimum machine specs
- Windows PowerShell 5.1 (download WMF 5.1). PowerShell Core is not supported.
- .NET Framework 4.6.2 or later
- Two cores
- 4 GB of RAM
- Port 443 (outbound)
Hybrid Worker Group Setup
Hybrid Worker Group is basically the middleman between Azure and the on-premises environments and no need to run the scripts on-premises with schedules and dedicated servers.
Simply install the underling PowerShell module/s for the workload and call them from Azure.
How does it work?
Prepare the Run As Account
When you are running the on-premises workloads often the credentials are not the same as cloud credentials and you have to add the credentials in to your code.
With Run As account, you have the ability to define the account before hand in the “Credential Asset” and call it during the execution of the script.
The format can be
- username (for accounts local to the on-premises computer)
Enabling the Run As account needs to be done during the Automation Account creation step or from Account Settings under the Azure Automate Account.
You need to be a Owner of the subscription in order to create the Run As account. Once the account is created, you can allocate a lower level role like ContributorAzureTestLabs
To create the Run As account, go to Run As Accounts under Account Settings of the Automation Account
Go to Azure Run as Account option > hit Create
More about the Run As Account can be found here Manage an Azure Automation Run As account | Microsoft Docs
This will create an Application in the Azure AD with a certificate that has an expiry of 12 months. The Certificate can be renewed from the portal itself. This app is responsible for all run as accounts for the automation account.
Add the Credentials for the Credential Asset
In the Automation Account, go to Shared Resources > Credentials > Add a credential >
Hybrid Worker Server Prerequisites
Create a Log Analytics workspace
From the Azure Marketplace search for Log Analytics workspace
Complete the creation of the workspace
Link the Log Analytics Workspace to the Azure Automation Account
Go back to the Automation Account > Inventory > Select the Automation Account under Log Analytics workspace
You can further confirm this, if you go to Linked Workspaces under Related Resources in the Automation Account
Install the log Analytics agent to the server in the On-premises network
There are 2 agent installation types. I will be going through the setup assuming the hybrid server is in on-premises network.
If the target machine is a non-Azure VM (Corp network, physical server) use this link to get the steps
- Go to your Log Analytics Workspace
- Go to Agent Management
- Download the agent according to the architecture
- Install it on the server
Press Next and Next to the install location > Select “Connect the agent to Azure Log Analytics (OMS)” option
Fill in the Workspace ID, Workspace Key, Azure Cloud details.
You can grab the Workspace ID and the Workspace Key from the Agents Management blade
Complete the installation
Register the Hybrid Worker Server
- Go in to that server
- go to this location
cd “C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\\HybridRegistration”
- Run the below command for the registration
Specify a Group Name
You can find the URL and the Key from Keys under Account Settings of the Automation account.
Add-HybridRunbookWorker –GroupName <Group Name> -Url <URL> -Key <KEY>
Once you execute the above command, the server will register as a Hybrid Runbook Worker in the Group Name you specify.
Success!! Now that the server has been added, check the results in the Hybrid Worker Group
Change the Run As account for the Worker Group
Go to the Hybrid Worker Group Settings tab in the Hybrid Worker Group and select Custom from the slider
Select the previously created Run As account from the dropdown which is now saved in the Credential Asset section.
This account will be used to execute the On-premises workloads as it doesn’t have any attachment to the cloud side of things.
Create the Runbook
Important – You have to make sure the PowerShell modules have been imported to the Hybrid Worker server so the Runbook can execute the script/ command
You can always import a pre-created Runbook from the Runbook gallery and go from there or create one from the scratch (which I will be doing here)
- Go to the Automation Account > Select Runbooks under Process Automation
- Select Create a runbook button and complete the necessary fields and press Create
Enter your script as mentioned below
I will be adding a very simple command to create an AD account in the local AD
Now that I have created my Run As Account and created the credentials as a Credentials Asset.
When I’m testing the runbook notice that I have the option to select the location to run this command
Select Hybrid Worker and make sure the Worker Group has selected if you have more than one worker group
If the Tests are running without errors, publish the runbook
Execute the workload
Status page as below
And my user has been created in the local AD as expected
Scheduled On Premises tasks
You can create a Scheduled job if you have anything to be executed periodically and that can be a great tool to get a report of the disabled users in the AD every month.
Schedules can be setup from the the Specific Runbook > Schedules >Add a schedule steps.
The configuration includes number of steps that can be a tedious task, but once that’s done, it’s easier to manage On-premises tasks and automate them as you automate your cloud workloads.