This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.
Managing certificates is an important scenario when it comes to server management. You want to make sure you can roll out certificates to your servers and manage these from a central place. In a pure on-premises environment, we have done this for example by using Group Policies (GPOs). But if you want to run this in a hybrid cloud environment, where machines are not only in your own datacenter but also running at different edge locations or even other cloud providers, where machines in some cases are not even are domain-joined? Here is where Azure Arc can help you with, Azure Arc enabled servers allows you to manage your Linux and Windows Servers directly from the Azure control plane, and with the new Azure Arc Key Vault extension, you can also manage certificates on these machines.
Since Azure Arc enabled Servers have a managed identity, you can use that managed identity not just for your applications, but also for extensions and accessing Azure Key Vault.
Instead of individually copying the certificate to each machine, the PKI admin just has to upload or generate certificates in a Key Vault and configure which servers are allowed to download them. Then, the server admin deploys the Azure Key Vault extension to their servers (the same extension works for both Azure and Arc enabled servers) and specifies which certificates should be installed on the server, and how frequently the server should check for updates. From there, the extension takes care of the rest. It uses the unique managed identity assigned to every Arc enabled server to authenticate to Azure Key Vault and download the certificates. When it comes time to renew a certificate, the PKI admin only needs to update the copy in Key Vault. The extension will take care of downloading it to each server automatically.
Getting started with the Azure Key Vault extension for Arc enabled servers
This extension is currently in preview, and you can find more information about it here in the announcement blog post by Ryan Puffer (Program Manager for Azure Arc enabled server).
Prerequisites
To get started, you will need the following:
- An Azure Arc enabled server running supported versions of Linux or Windows server. You can follow these simple steps to add a server to Azure Arc.
- An Azure Key Vault with at least one certificate. If you want to quickly create a certificate in Azure Key Vault, check out the following tutorial on Microsoft Docs.
- To deploy the extension you will need the Azure Connected Machine PowerShell module (Az.ConnectedMachine) which you can run and install on your local admin machine or in Azure Cloud Shell by using the following command:
Install-Module Az.ConnectedMachine
Set up and deploy the Key Vault extension to Azure Arc
Set permission to the Key Vault so the Arc enabled server has a system-assigned managed identity that can access it.
You can configure permissions on your vault by going to it in the Azure Portal, clicking Access policies in the navigation pane, and then Add Access Policy. In the Secret permissions drop down, tick the boxes for Get and List. Then, next to Select Principal, click None selected to open the AAD object picker. Search for your Arc enabled server by its name, click it, then click Select. Click Add to finish configuring the Arc enabled server's permissions then click Save to commit the change.
If you're using the Azure Key Vault RBAC, grant the Arc enabled server the Key Vault Secrets User role in Access control (IAM) for the vault.
Deploy the Azure Arc Key Vault extension
Now you can deploy the extension to the server. For that run this command on your admin workstation with Azure PowerShell or Azure Cloud Shell and the Az.ConnectedMachine module installed.
In my case this looked something like this:
When the extension has finished installing you should see your certificate on your Azure Arc enabled server.
For Linux machines you can run the following to deploy the extension:
Conclusion
Azure Arc enabled servers is a great way to manage your servers in a hybrid and multi-cloud environment. With the new Key Vault extensions (preview) Azure Arc makes it easy to manage certificates on servers you need to manage, where every they are deployed in a secure way.
If you want to learn more check out the following links:
- Azure Key Vault Extension for Windows / Linux
- Azure Key Vault
- Azure Arc enabled servers
- Have feedback on the AKV extension? Share it with us on UserVoice!
You can also watch the ITOps Talks All Thing Hybrid, where I had the chance to talk with Ryan about Azure Arc enabled Servers.
If you have any questions feel free to leave a comment.