This chapter covers Azure Arc-enabled servers for monitoring hybrid VMs, a critical topic for the AZ-104 exam under Objective 5.1: Monitor non-Azure resources using Azure Arc. You will learn how to onboard on-premises or other cloud VMs into Azure Arc, deploy the Azure Monitor agent, and collect performance and log data. Expect approximately 5-10% of exam questions to touch on Azure Arc monitoring concepts, configuration steps, and common troubleshooting scenarios.
Jump to a section
Imagine you are a building manager responsible for 1000 devices across 20 different buildings, each with its own control system. Some buildings have old wired controls, others have modern smart panels, and a few have no central management at all. You want to monitor and manage all devices from a single dashboard in your main office. Azure Arc is like a universal remote control that can communicate with any device regardless of its native protocol. You install a small adapter (the Azure Connected Machine agent) on each device that translates the device's native signals into a common language (Azure Resource Manager). The adapter registers the device with your central dashboard, assigning it a unique ID and metadata. Now, from your dashboard, you can send commands (policies, updates) and receive telemetry (metrics, logs) from every device. The adapter handles the translation and secure communication over HTTPS. If a device loses connectivity, the adapter caches commands and telemetry locally and syncs when reconnected. This universal remote approach allows you to manage heterogeneous environments uniformly, just as Azure Arc enables consistent management of hybrid and multicloud servers as if they were native Azure resources.
What is Azure Arc and Why Does It Exist?
Azure Arc is a hybrid management platform that extends Azure Resource Manager (ARM) control plane to non-Azure environments. For monitoring, it allows you to manage and monitor servers running outside Azure—on-premises, in other clouds (AWS, GCP), or at the edge—using the same tools and policies as native Azure VMs. The exam focuses on Azure Arc-enabled servers (not Kubernetes or data services). The key benefit: you can use Azure Monitor, Azure Policy, Microsoft Defender for Cloud, and Update Management across all your servers from a single pane of glass.
How Azure Arc Monitoring Works Internally
Agent Installation: You install the Azure Connected Machine agent (azcmagent) on each non-Azure server. The agent is available for Windows and Linux. It registers the server as a resource in Azure, creating a Microsoft.HybridCompute/machines resource. The agent communicates outbound over HTTPS (TCP 443) to Azure endpoints. No inbound ports are required.
Identity and Authentication: The agent uses a system-assigned managed identity (MSI) to authenticate to Azure. The identity is created in Azure AD during onboarding. The agent periodically renews tokens (default token lifetime is 8 hours). Communication is secured with TLS 1.2.
Resource Representation: Once registered, the server appears in the Azure portal as a hybrid machine. It gets an ARM resource ID, can be tagged, and can be managed via Azure Policy, RBAC, and resource locks. The agent reports heartbeat every 5 minutes by default. If heartbeat is missing for 15 minutes, the resource status shows 'Disconnected'; after 30 days, it shows 'Expired' and the agent must be re-onboarded.
Extension Management: Azure Arc supports VM extensions, including the Azure Monitor Agent (AMA), Dependency Agent, and Log Analytics Agent (legacy). Extensions are deployed via ARM to the hybrid machine. The agent downloads and installs extensions from Azure. The AMA is the primary agent for monitoring; it collects performance counters, Windows Event Logs, syslog, and custom logs and sends them to Log Analytics workspaces.
Data Flow: The AMA collects data based on Data Collection Rules (DCRs) defined in Azure. DCRs specify what data to collect, from which machines, and where to send it (Log Analytics workspace, Azure Storage, Event Hubs). Data is sent over HTTPS to the Log Analytics ingestion endpoint. The agent uses a local cache (default 100 MB) to buffer data during network outages; if the cache fills, older data is dropped.
Key Components, Values, Defaults, and Timers
Azure Connected Machine Agent (azcmagent): Version 1.0+ for Windows/Linux. Installed via script or manual download. Commands: azcmagent connect, azcmagent disconnect, azcmagent show, azcmagent logs.
Onboarding Methods: Interactive (portal), at scale (using service principal with azcmagent connect --service-principal-id <id> --service-principal-secret <secret>), or via Azure Policy.
Heartbeat Interval: 5 minutes. Configurable via registry (Windows) or config file (Linux).
Disconnected Threshold: 15 minutes for status change; 30 days for expiration.
Extension Timeout: Extension installation times out after 90 minutes.
Log Analytics Workspace: Required for data ingestion. Can be in any region, but data residency may apply.
Data Collection Rules (DCRs): Define data sources (performance counters, events, syslog, custom logs). Association via DCR endpoint or portal. Up to 100 DCRs per workspace.
Azure Monitor Agent: Replaces Log Analytics agent for new deployments. Supports Windows (Windows 10+, Server 2012 R2+) and Linux (multiple distros).
Network Requirements: Outbound HTTPS to *.monitor.azure.com, *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, *.blob.core.windows.net (for agent updates), and Azure AD endpoints for authentication.
Configuration and Verification Commands
Install Agent and Connect to Azure (example for Windows):
# Download and install agent
$msi = "https://aka.ms/AzureConnectedMachineAgent"
Start-BitsTransfer -Source $msi -Destination "$env:TEMP\AzureConnectedMachineAgent.msi"
Start-Process msiexec.exe -ArgumentList "/i $env:TEMP\AzureConnectedMachineAgent.msi /quiet" -Wait
# Connect to Azure
azcmagent connect --resource-group "my-rg" --tenant-id "<tenant-id>" --location "eastus" --subscription-id "<sub-id>"Verify Connection:
azcmagent showOutput includes machine name, status (Connected/Disconnected), agent version, and last heartbeat time.
Deploy Azure Monitor Agent via CLI:
az connectedmachine extension create --name AzureMonitorWindowsAgent --type AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --machine-name "myHybridVM" --resource-group "my-rg" --location "eastus"Create Data Collection Rule (DCR) via PowerShell:
New-AzDataCollectionRule -ResourceGroupName "my-rg" -Location "eastus" -RuleName "myDCR" -DataSources @{ performanceCounters = @( @{ name="perfCounter1"; streams=@("Microsoft-Perf"); performanceCounters=@(@{counterSpecifiers=@("\Processor(_Total)\% Processor Time"); samplingFrequencyInSeconds=60}) } ) } -Destinations @{ logAnalytics = @( @{ workspaceResourceId="/subscriptions/<sub-id>/resourceGroups/my-rg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"; name="logAnalyticsDest" } ) }Associate DCR to Machine:
az monitor data-collection rule association create --name "myAssociation" --rule-id "/subscriptions/<sub-id>/resourceGroups/my-rg/providers/Microsoft.Insights/dataCollectionRules/myDCR" --resource "/subscriptions/<sub-id>/resourceGroups/my-rg/providers/Microsoft.HybridCompute/machines/myHybridVM"Interaction with Related Technologies
Azure Policy: Use built-in policies to deploy the Connected Machine agent at scale, and to audit or enforce DCR associations. Example policy: "Deploy Azure Monitor Agent on Arc-enabled servers".
Microsoft Defender for Cloud: Arc-enabled servers can be onboarded to Defender for Cloud for threat detection, vulnerability assessment, and just-in-time VM access. Requires AMA or Log Analytics agent.
Update Management: Use Azure Automation Update Management to patch Arc-enabled servers. Requires Log Analytics agent and Automation account linked to workspace.
Azure Automation State Configuration: Push DSC configurations to Arc-enabled servers via extension.
Azure Monitor Workbooks and Alerts: Create workbooks that query Log Analytics workspaces for data from hybrid machines. Set up metric or log alerts based on collected data.
Azure Resource Graph: Query all Arc-enabled servers across subscriptions using Resource Graph explorer.
Exam-Relevant Details
The exam expects you to know that Azure Arc does NOT require inbound ports; only outbound HTTPS from the agent to Azure.
The default heartbeat interval is 5 minutes. If a machine is disconnected for 30 days, the resource expires and must be re-onboarded.
The Azure Monitor Agent is the recommended agent for new deployments; the Log Analytics agent is legacy but still supported.
You can onboard up to 1000 machines per Azure Arc resource group (soft limit).
The agent supports proxy configuration via azcmagent config set proxy.url "http://proxy:8080".
When using a service principal for bulk onboarding, the service principal needs 'Contributor' or 'Azure Connected Machine Onboarding' role at the resource group or subscription level.
The agent can be installed on Windows Server 2012 R2 and later, and multiple Linux distributions (RHEL, CentOS, Ubuntu, SUSE, etc.).
Azure Arc-enabled servers support the same extensions as Azure VMs, but not all extensions are available; check the list in the portal.
For monitoring, you must create a Data Collection Rule and associate it with the hybrid machine. Without a DCR, the AMA collects no data.
The AMA uses a local cache of 100 MB by default. If the cache is full and new data arrives, the oldest data is discarded.
To view monitoring data, navigate to the hybrid machine in the portal, then 'Insights' or 'Logs' to run KQL queries.
Install Azure Connected Machine Agent
Download and install the appropriate agent for the OS (Windows .msi or Linux .sh). On Windows, run the MSI silently. On Linux, use the script from Microsoft. The agent registers a service that runs as 'himds' (Hybrid Instance Metadata Service). It creates a local certificate store and connects to Azure. After installation, the agent is in a 'Pending' state until you run 'azcmagent connect'.
Connect the Agent to Azure
Run 'azcmagent connect' with parameters: resource group, tenant ID, subscription ID, location, and optionally service principal credentials. The agent generates a certificate signing request (CSR) and sends it to Azure. Azure validates the request and creates a managed identity in Azure AD. The agent receives a certificate and stores it locally. The machine now appears as a 'Microsoft.HybridCompute/machines' resource in the specified resource group. Status becomes 'Connected'.
Verify Connection and Heartbeat
Use 'azcmagent show' to confirm status. The agent sends a heartbeat to Azure every 5 minutes. In the portal, the machine's status should show 'Connected'. If the heartbeat fails for 15 minutes, status changes to 'Disconnected'. If no heartbeat for 30 days, the resource expires and the agent must be reconnected. Check logs using 'azcmagent logs' for troubleshooting.
Deploy Azure Monitor Agent Extension
From the portal, select the hybrid machine, then 'Extensions', and add 'AzureMonitorWindowsAgent' or 'AzureMonitorLinuxAgent'. Alternatively, use CLI or PowerShell. The extension is downloaded from Azure and installed. The AMA service starts and waits for a Data Collection Rule (DCR). Without a DCR, no data is collected. The extension status should show 'Succeeded'.
Create and Associate Data Collection Rule
Create a DCR in Azure Monitor specifying data sources (e.g., processor time, memory, disk, Windows events, syslog) and a destination (Log Analytics workspace). Associate the DCR with the hybrid machine using the portal, CLI, or API. The AMA polls for DCR assignments every 5 minutes. Once associated, the AMA starts collecting data and sending it to the workspace. Data is ingested into the 'Perf' and 'Event' tables.
Enterprise Scenario 1: Centralized Monitoring of On-Premises Servers
A large financial institution has 500 Windows and Linux servers across three data centers. They use Azure Arc to bring these servers under Azure Monitor. The team deploys the Connected Machine agent using a Configuration Manager task sequence (Windows) and a shell script (Linux) with a service principal for authentication. They create a single Data Collection Rule that collects common performance counters (CPU, memory, disk) and critical Windows Event Logs (Security, Application, System) and syslog (auth, kern). The DCR sends data to a centralized Log Analytics workspace. They set up dashboards and alerts for disk space >90%, CPU >80%, and failed logins. The benefits: unified view, no need for separate monitoring tools, and ability to use Azure Workbooks. Common issues: network proxy configuration; the agent must be configured with proxy URL if servers require proxy for outbound traffic. Also, if the Log Analytics workspace is in a different region, data egress charges apply.
Enterprise Scenario 2: Compliance and Security Monitoring with Defender for Cloud
A healthcare company must audit and secure servers across on-premises and AWS. They onboard all servers to Azure Arc and enable Microsoft Defender for Cloud. They use Azure Policy to automatically deploy the Connected Machine agent and AMA to new servers. Defender for Cloud provides vulnerability assessments, file integrity monitoring, and adaptive application controls. They also collect security events via DCR and use Azure Sentinel for SIEM. The challenge: some legacy servers run Windows Server 2008 R2, which is not supported by the AMA; they must use the Log Analytics agent instead. Also, Defender for Cloud requires the Log Analytics agent for some features, so they plan a migration. Performance: the AMA uses about 1-2% CPU and 50 MB memory per server, acceptable for most workloads.
Scenario 3: Patch Management and Update Compliance
A retail company uses Azure Automation Update Management to patch 200 Arc-enabled servers. They deploy the Log Analytics agent (required for Update Management) and link the workspace to an Automation account. They schedule monthly patching windows. The DCR collects update compliance data. They use Azure Monitor alerts to notify when updates are missing or installation fails. Pitfalls: the Log Analytics agent must be version 10.0.0 or later; the Automation account and workspace must be in the same region. If the server is disconnected for more than 30 days, it must be re-onboarded, and the Update Management enrollment is lost.
What AZ-104 Tests on Azure Arc Monitoring
Objective 5.1: Monitor non-Azure resources using Azure Arc. The exam focuses on:
Understanding the Azure Connected Machine agent and its connectivity requirements.
Onboarding servers using interactive, service principal, or policy-based methods.
Deploying the Azure Monitor Agent (AMA) and configuring Data Collection Rules.
Interpreting machine status (Connected, Disconnected, Expired) and troubleshooting connectivity.
Knowing the default timers: heartbeat 5 min, disconnect threshold 15 min, expiration 30 days.
Understanding that Azure Arc does not require inbound ports.
Common Wrong Answers and Why Candidates Choose Them
Wrong: 'Azure Arc requires inbound ports for monitoring.' Why wrong: Candidates confuse Azure Arc with traditional agents that listen for commands. Azure Arc uses only outbound HTTPS; no inbound ports are needed. The agent initiates all communication.
Wrong: 'The Log Analytics agent is required for Azure Arc monitoring.' Why wrong: While the Log Analytics agent is supported, the recommended agent is the Azure Monitor Agent (AMA). The exam expects you to know that AMA is the newer, preferred agent.
Wrong: 'A disconnected machine can be reconnected without reinstallation.' Why wrong: If a machine is disconnected for more than 30 days, the resource expires and the agent must be reconnected using 'azcmagent connect' again. If the machine is disconnected for less than 30 days, it will automatically reconnect when heartbeat resumes.
Wrong: 'You can monitor Arc-enabled servers without a Log Analytics workspace.' Why wrong: While the machine can be managed (policies, tags) without a workspace, monitoring data (metrics, logs) requires a Log Analytics workspace as a destination in the DCR.
Specific Numbers, Values, and Terms on the Exam
Default heartbeat: 5 minutes.
Disconnected after: 15 minutes of no heartbeat.
Expired after: 30 days of disconnection.
Agent installation: 'azcmagent connect'.
Extension for AMA: 'AzureMonitorWindowsAgent' or 'AzureMonitorLinuxAgent'.
Onboarding roles: 'Azure Connected Machine Onboarding' role or 'Contributor'.
Proxy configuration: 'azcmagent config set proxy.url'.
Data Collection Rule association: 'az monitor data-collection rule association create'.
Edge Cases and Exceptions
Windows Server 2008 R2 is NOT supported by AMA; use Log Analytics agent.
Linux distributions must be specific supported versions (e.g., RHEL 7.4+, Ubuntu 16.04+).
The agent cannot be installed on Azure VMs; it is only for non-Azure machines.
If the machine is behind a firewall, you must allow specific FQDNs (not just IP ranges).
The agent supports private endpoints for secure connectivity to Log Analytics.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about Azure Arc connectivity, think: 'Does the agent initiate the connection?' If yes, then inbound ports are not needed. For monitoring data, remember that the AMA collects data only when a DCR is associated. If a question asks about collecting performance counters, the answer must involve a DCR. For status, recall the timers: 5 min heartbeat, 15 min disconnected, 30 days expired. Use these to eliminate options that mention incorrect intervals.
Azure Arc extends Azure Resource Manager to non-Azure servers via the Connected Machine agent.
The agent communicates outbound over HTTPS only; no inbound ports required.
Default heartbeat interval is 5 minutes; machine shows 'Disconnected' after 15 minutes, 'Expired' after 30 days.
Log Analytics workspace is required to store monitoring data from Arc-enabled servers.
Azure Monitor Agent (AMA) is the preferred agent; use Data Collection Rules (DCRs) to define data collection.
Onboarding can be done interactively, with a service principal, or via Azure Policy.
The agent supports proxy configuration via 'azcmagent config set proxy.url'.
Extensions, including AMA, are deployed from Azure to Arc-enabled servers.
Role 'Azure Connected Machine Onboarding' is required for service principal-based onboarding.
Azure Policy can automate agent deployment and DCR association at scale.
Windows Server 2008 R2 is not supported by AMA; use Log Analytics agent instead.
Arc-enabled servers appear in the portal as 'Machines - Azure Arc' resource type.
These come up on the exam all the time. Here's how to tell them apart.
Azure Monitor Agent (AMA)
Newer agent, recommended for new deployments.
Uses Data Collection Rules (DCRs) for configuration.
Supports Windows and Linux (wider Linux support).
Lower resource usage (CPU, memory) compared to legacy agent.
Supports private endpoints and Azure Monitor data ingestion.
Log Analytics Agent (MMA/OMS)
Legacy agent, still supported but not recommended for new setups.
Configured via Log Analytics workspace settings (not DCRs).
Limited Linux support (older versions).
Higher resource consumption.
Does not support private endpoints for data ingestion.
Mistake
Azure Arc requires opening inbound ports on the firewall.
Correct
Azure Arc uses only outbound HTTPS (TCP 443) from the agent to Azure. No inbound ports are needed. The agent initiates all communication.
Mistake
The Log Analytics agent is the only agent for Azure Arc monitoring.
Correct
The Azure Monitor Agent (AMA) is the recommended agent. The Log Analytics agent is legacy but still supported. The exam expects you to know AMA is preferred.
Mistake
Once a machine is disconnected, it must be re-onboarded from scratch.
Correct
If disconnected for less than 30 days, the machine reconnects automatically when heartbeat resumes. Only after 30 days does the resource expire, requiring re-onboarding.
Mistake
Azure Arc can monitor Azure VMs as well.
Correct
Azure Arc is for non-Azure machines only. Azure VMs are already managed natively by Azure Resource Manager.
Mistake
The Azure Connected Machine agent can be installed on any operating system.
Correct
The agent supports specific versions: Windows Server 2012 R2+, Windows 10+, and select Linux distros (RHEL 7.4+, Ubuntu 16.04+, SUSE 12+, etc.). Older OS versions like Windows Server 2008 R2 are not supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Download the installation script from Microsoft: 'wget https://aka.ms/azcmagent -O install_linux_azcmagent.sh'. Then run 'bash install_linux_azcmagent.sh'. After installation, connect to Azure using 'azcmagent connect' with the appropriate parameters. The script adds the Microsoft repository and installs the 'azurecm' package.
The agent needs outbound HTTPS (TCP 443) to Azure endpoints: *.monitor.azure.com, *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, *.blob.core.windows.net, and Azure AD endpoints (login.microsoftonline.com). No inbound ports. If using a proxy, configure it with 'azcmagent config set proxy.url'.
Yes. You can install the Azure Connected Machine agent on an EC2 instance (Windows or Linux) and onboard it to Azure Arc. The instance will appear as a hybrid machine. You can then deploy the Azure Monitor Agent and collect data into a Log Analytics workspace, just like on-premises servers.
The agent continues to run locally and caches any pending operations (e.g., extension installations). If connectivity is restored within 30 days, the agent reconnects automatically and syncs. If disconnected for more than 30 days, the resource expires and you must re-run 'azcmagent connect'.
Use Azure Policy to deploy the AMA extension to all Arc-enabled servers in a subscription or resource group. Create a policy definition that deploys the extension if not already present. Alternatively, use CLI or PowerShell scripts to iterate through machines and install the extension.
The service principal needs the 'Azure Connected Machine Onboarding' role at the resource group or subscription level. This role allows the service principal to register new hybrid machines. Alternatively, 'Contributor' role also works.
You can manage the server (apply tags, policies, RBAC) without a workspace. However, to collect monitoring data (performance, logs), you must have a Log Analytics workspace and associate a Data Collection Rule that sends data to it.
You've just covered Azure Arc Monitoring for Hybrid VMs — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?