Yesterday Microsoft announced the General Availability (GA) of the SCOM Agent and Gateway extensions to deploy agents and establish communication for the agents in Azure Monitor SCOM Managed Instance (SCOM MI). It uses Azure Arc to deploy and update the agent extensions and it can establish the connection trust that way as well.
Challenges
When going to cloud and hybrid systems for monitoring, and in this case SCOM, we again run into the same challenges as we had on-prem. In short: A monitored agent needs Connectivity and Trust to communicate with the central monitoring solution. For SCOM this has always been Kerberos realm trust or Certificate-based trust, whereby the certificates needed to be specifically created and assigned to agents. Or a Gateway solution needed to be implemented to create less Certificates and use Kerberos as much as possible. This does however assume machines are in some kind of Active Directory domain. Deployment and Management of agents was also either through native SCOM, or using deployment mechanisms such as SCCM or Scripts and automation engines.
Going Hybrid
When going more Hybrid and Cloudy, we need to think of ways to manage and monitor machines and their agents – as long as we are running full Operating Systems. From the cloud, we have Azure Arc to manage full VM’s wherever they are, and several native extensions have been created to assist in managing such machines through the use of Arc. Arc establishes a connection between the machine and the cloud-based services using built-in certificate trusts and using specific endpoints in the cloud to connect to.
Solutions
When going for SCOM MI from the cloud to Extend Azure Monitor with the possibilities SCOM gives for using Management Packs for deep monitoring of applications and other components, we can now bring the solutions together.
We can use Azure Arc to manage the management of these systems. If you are in a Hybrid or Cloud situation, you should be serious about using Azure Arc for several things having to do with management, automation, updates, tagging and more of virtual machines living on-prem, in the Azure cloud or in other clouds. This establishes a trust and connection and a way to deploy more Extensions to the managed machine.
We can go through the SCOM MI portal in the Azure portal and deploy SCOM agents through an Arc extension now. And also, for those cases where we need to deploy a Gateway to support air-gapped and isolated systems, to facilitate connectivity to the monitoring system. Both Managed Agents and Managed Gateways can now be deployed from the SCOM MI portal. This establishes the automatic Arc-enabled certificate trust and we establish connectivity. We do need to have line of sight on port 5723 to our load balancer address still as well.
We have shared information about this feature before during webinars and in our SCOM MI training program, because we have been testing this in Preview programs with Microsoft since the end of 2023. There is a lot more to come for Azure Monitor SCOM Managed Instance!
Read more about the announcement here: Introducing Agent and Gateway Extensions in Azure Monitor SCOM MI – Microsoft Community Hub
And read more about using Managed Agents using Arc Extensions here: Monitor Azure and Off-Azure Virtual machines with Azure Monitor SCOM Managed Instance extensions. – Azure Monitor | Microsoft Learn