This chapter covers Azure Arc-enabled applications, a critical topic for the AZ-204 exam under Compute objective 1.2. Azure Arc extends Azure management and services to any infrastructure, including on-premises, multi-cloud, and edge environments. Approximately 10-15% of exam questions may touch on Arc-related concepts, especially in scenarios involving hybrid deployments, policy enforcement, and Kubernetes management. Mastering this chapter ensures you can design and implement solutions that leverage Azure Arc for unified governance, application deployment, and monitoring across diverse environments.
Jump to a section
Imagine you work for a company that has offices in New York, London, and Tokyo, each with its own set of servers and applications. Your corporate headquarters wants to enforce consistent security policies, monitor performance, and apply updates across all locations, but each office has its own local IT team that manages their servers independently. Azure Arc acts like a universal remote control that can talk to any TV, regardless of brand or model. Instead of physically traveling to each office, you install a small agent (the Arc agent) on each server. This agent establishes a secure outbound connection to Azure, reporting metadata and health status. Through the Azure portal, you can now see all servers from all offices in a single pane, apply Azure policies (like installing anti-malware or enforcing disk encryption), and even deploy Kubernetes applications to on-premises clusters as if they were native Azure resources. The key is that the connection is initiated from the on-premises server to Azure, so no inbound firewall ports need to be opened. This mirrors how a universal remote learns the IR codes of different devices and sends commands without needing a direct wired connection.
What is Azure Arc and Why Does It Exist?
Azure Arc is a hybrid and multi-cloud management platform that extends Azure Resource Manager (ARM) control plane and services to resources running outside of Azure. This includes physical servers, virtual machines (VMs), Kubernetes clusters, and data services running on-premises, at the edge, or in other public clouds (e.g., AWS, GCP). The primary goal is to provide a consistent management experience across all environments, enabling organizations to use Azure tools like Azure Policy, Azure Monitor, Azure Defender, and role-based access control (RBAC) on non-Azure resources.
For the AZ-204 exam, you need to understand how Azure Arc enables developers to deploy and manage applications consistently. Specifically, Arc allows you to:
Manage Kubernetes clusters anywhere using Azure Kubernetes Service (AKS) on Azure Arc.
Deploy Azure services like Azure App Service, Azure Functions, and Azure Logic Apps to on-premises or edge environments via Arc-enabled Kubernetes.
Enforce organizational policies and compliance across hybrid estates.
Use GitOps for configuration management of Kubernetes clusters.
How Azure Arc Works Internally
Azure Arc operates on a model where an agent or service is installed on the target resource, which then establishes an outbound connection to Azure. This ensures that no inbound ports need to be opened in firewalls, enhancing security.
For servers (Arc-enabled servers): - The Azure Connected Machine agent is installed on Windows or Linux machines. - The agent registers the machine as an Azure resource in a specified resource group and region (the region is where the resource metadata is stored, not the physical location). - The agent periodically (every 5 minutes by default) sends heartbeat and metadata to Azure. It also listens for policy assignments and configuration changes from Azure. - Azure Policy can be applied to these machines using guest configuration extensions. For example, you can enforce that a specific software is installed or that certain firewall rules are active.
For Kubernetes clusters (Arc-enabled Kubernetes): - You deploy the Arc-enabled Kubernetes agent on the cluster (using a Helm chart). - The agent connects to Azure Resource Manager and registers the cluster. - You can then deploy Azure Arc-enabled services like App Service on Azure Arc or Azure Functions on Azure Arc onto the cluster. - GitOps is used to manage configurations: a Git repository holds desired state YAML files, and Flux (a GitOps operator) syncs the cluster to that state.
Key Components and Defaults
Azure Connected Machine Agent: Installed on servers. Default heartbeat interval: 5 minutes. Supports Windows Server 2012 R2 and later, Ubuntu 16.04+, CentOS 7+, etc.
Arc-enabled Kubernetes Agent: Deployed as a Helm chart. Requires cluster connectivity to Azure (outbound HTTPS to specific endpoints).
Azure Arc Resource Bridge: A lightweight Kubernetes cluster that hosts Arc services on-premises. It is required for some Arc services like Azure Stack HCI management.
Arc-enabled Data Services: SQL Managed Instance and PostgreSQL Hyperscale can be deployed on-premises via Arc. They use a Kubernetes-based infrastructure.
Configuration and Verification Commands
Register a server with Azure Arc using Azure CLI:
az connectedmachine register \
--resource-group myResourceGroup \
--name myMachine \
--location eastus \
--subscription mySubscriptionThis command downloads and installs the agent, registers the machine, and creates a resource in Azure.
Verify server registration:
az connectedmachine list --resource-group myResourceGroup --output tableConnect a Kubernetes cluster to Azure Arc:
az connectedk8s connect --name myCluster --resource-group myResourceGroup --location eastusThis deploys the Arc agent Helm chart to the cluster.
Verify cluster connection:
az connectedk8s show --name myCluster --resource-group myResourceGroupEnable GitOps on an Arc-enabled Kubernetes cluster:
az k8s-configuration create \
--name myConfig \
--cluster-name myCluster \
--resource-group myResourceGroup \
--operator-instance-name flux \
--operator-namespace flux-system \
--repository-url https://github.com/myorg/myconfig \
--scope cluster \
--cluster-type connectedClustersInteraction with Related Technologies
Azure Policy: Arc-enabled servers can be assigned Azure Policy initiatives (e.g., guest configuration policies) to audit or enforce settings.
Azure Monitor: Arc-enabled servers and Kubernetes clusters can send logs and metrics to Azure Monitor for unified monitoring.
Azure Defender: Provides threat detection for Arc-enabled servers (requires Azure Defender for servers).
Azure RBAC: You can assign roles to users for Arc resources just like native Azure resources.
Azure DevOps: Pipelines can deploy applications to Arc-enabled Kubernetes clusters using standard Kubernetes tasks.
Exam Relevance
For AZ-204, you are expected to:
Understand how to onboard servers and Kubernetes clusters to Azure Arc.
Be able to deploy Azure App Service and Azure Functions on Arc-enabled Kubernetes.
Know that GitOps is the recommended method for managing configurations on Arc-enabled clusters.
Recognize that Arc does NOT migrate workloads to Azure; it brings Azure management to where the workloads are.
Common Mistakes and Traps
Assuming Arc makes resources native Azure resources: Arc-managed resources are still running outside Azure. They are represented as Azure resources for management purposes, but they do not get Azure SLA, and they are not physically migrated.
Thinking Arc requires inbound connectivity: Arc agents always initiate outbound connections. No inbound ports are required.
Confusing Arc with Azure Migrate: Azure Migrate is for discovery and migration; Arc is for ongoing management after migration (or without migration).
Forgetting that Arc-enabled Kubernetes clusters require a supported Kubernetes version (currently 1.20+).
Edge Cases
Disconnected mode: Arc-enabled Kubernetes clusters can operate in a partially disconnected state, but GitOps will not sync until connectivity is restored.
Arc Resource Bridge: For some services (like Azure Stack HCI), Arc Resource Bridge is a required intermediary that runs as a lightweight Kubernetes cluster on-premises.
Private endpoints: Arc can connect to Azure using private endpoints over ExpressRoute or VPN, but the agent still initiates outbound connections.
Summary
Azure Arc is a powerful tool for extending Azure management to any infrastructure. It uses agents that connect outbound to Azure, enabling consistent policy, monitoring, and application deployment. For the exam, focus on the onboarding process, GitOps configuration, and the scenarios where Arc is the correct choice (hybrid management, not migration).
Install Azure Connected Machine Agent
On each server you want to manage with Azure Arc, download and install the Azure Connected Machine agent. The agent is available for Windows and Linux. During installation, the agent generates a unique identity for the machine. You can install it interactively or silently using scripts. The agent requires outbound HTTPS access to Azure endpoints (e.g., management.azure.com, login.microsoftonline.com). It does not require any inbound ports. After installation, the agent runs as a service (himds on Windows, himds on Linux) and starts sending heartbeats every 5 minutes.
Register the Server with Azure
Use the Azure CLI or PowerShell command `az connectedmachine register` to register the machine. This command authenticates the agent to Azure using a device code or service principal. It creates a resource of type 'Microsoft.HybridCompute/machines' in the specified resource group and region. The machine is now visible in the Azure portal under 'Azure Arc > Servers'. The agent continues to send heartbeats and can receive policy assignments and extensions from Azure.
Assign Azure Policy to Arc-Enabled Server
From Azure Policy, assign a policy initiative (e.g., 'Windows machines should meet requirements for the Azure Compute Security Baseline') to the resource group containing the Arc-enabled server. The policy is enforced via guest configuration extensions. The agent downloads the policy definition and applies it locally. For example, a policy might require that Windows Defender Antivirus is enabled. The agent reports compliance status back to Azure. If the machine is offline, the policy remains pending until the next heartbeat.
Connect Kubernetes Cluster to Azure Arc
Ensure you have a Kubernetes cluster (e.g., on-premises, AWS EKS) with kubectl access. Run `az connectedk8s connect` to deploy the Arc agent Helm chart. The chart includes components like cluster-metadata-operator, resource-sync-agent, and config-agent. These components establish an outbound connection to Azure and register the cluster as a 'Microsoft.Kubernetes/connectedClusters' resource. The cluster appears in Azure portal under 'Azure Arc > Kubernetes clusters'. The connection uses HTTPS to Azure endpoints.
Configure GitOps on Arc-Enabled Cluster
Use `az k8s-configuration create` to set up GitOps. This deploys Flux, a GitOps operator, onto the cluster. Flux monitors a Git repository for changes to YAML manifests. When changes are detected, Flux automatically applies them to the cluster to ensure the desired state. For example, you can store Kubernetes deployment manifests in a Git repo, and any push triggers an update. GitOps is the recommended method for managing configurations on Arc-enabled clusters. You can set the synchronization interval (default 5 minutes) and scope (cluster or namespace).
Scenario 1: Retail Chain with Edge Locations A global retailer has hundreds of stores, each with local servers running inventory management applications. They want to enforce consistent security policies (e.g., disk encryption, antivirus) and collect performance metrics centrally without replacing on-premises hardware. They deploy Azure Arc on each store server. Using Azure Policy, they enforce that all servers have BitLocker enabled and Windows Defender running. Azure Monitor collects logs and metrics, alerting the central IT team if any server goes offline or has high CPU usage. The challenge: store servers may have intermittent internet connectivity. Arc agents handle this gracefully by queuing policy updates and sending them when online. If a server is offline for more than 30 days, it is marked as 'disconnected' in Azure. The team uses Azure Update Management to schedule patching during off-hours.
Scenario 2: Financial Services with Hybrid Kubernetes A bank runs a Kubernetes cluster on-premises for sensitive payment processing, but also uses AKS in Azure for development. They want a unified view of all clusters and consistent RBAC policies. They connect the on-premises cluster to Azure Arc. Now they can see both clusters in the Azure portal, apply Azure Policy to ensure containers are running with restricted privileges, and use Azure Monitor for container insights. They use GitOps to deploy configurations: a Git repo holds manifests for both clusters, and Flux syncs changes. When a developer pushes a new deployment, it rolls out to both clusters automatically. The bank also deploys Azure App Service on Azure Arc to run a legacy web app on-premises, benefiting from Azure's autoscaling and monitoring without migrating to the cloud.
Scenario 3: Manufacturing with IoT Edge A manufacturer has factory floor devices running IoT Edge modules. They want to manage these devices alongside their cloud resources. They use Azure Arc to onboard the IoT Edge devices as Arc-enabled servers. This allows them to apply policies, monitor device health, and deploy updates from Azure. They also use Azure Arc-enabled Kubernetes to run containerized workloads on edge gateways. The key consideration: edge devices have limited resources, so the Arc agent must be lightweight. Microsoft provides a lightweight agent for these scenarios. Misconfiguration often occurs when firewall rules block the outbound HTTPS connections required by the agent, causing the devices to show as disconnected.
The AZ-204 exam tests Azure Arc under Objective 1.2 'Implement Azure compute solutions', specifically focusing on deploying and managing applications in hybrid environments. Expect 2-3 questions that require you to identify when to use Azure Arc versus other services like Azure Migrate or Azure Site Recovery.
Common Wrong Answers: 1. 'Azure Arc migrates on-premises resources to Azure' – This is false. Arc does not migrate; it manages resources in place. The correct answer is that Arc extends Azure management to non-Azure resources. 2. 'Azure Arc requires inbound connectivity' – False. Arc agents always initiate outbound connections. No inbound ports are needed. 3. 'Arc-enabled Kubernetes clusters must be running AKS engine' – False. Arc supports any CNCF-certified Kubernetes cluster (e.g., OpenShift, Rancher, AWS EKS). 4. 'Azure Arc can only manage servers, not Kubernetes' – False. Arc manages both servers and Kubernetes clusters.
Specific Values and Terms:
- Heartbeat interval: 5 minutes (default).
- Disconnected threshold: 30 days (after which the resource is considered disconnected).
- GitOps operator: Flux (deployed via az k8s-configuration create).
- Arc agent for servers: Azure Connected Machine agent.
- Arc agent for Kubernetes: Helm chart with multiple components.
- Supported Kubernetes versions: 1.20 and later (check current documentation).
Edge Cases Tested: - What happens if the on-premises server loses connectivity? The agent continues to operate locally, but policy updates and monitoring data are queued. After 30 days, the resource is marked disconnected. - Can you use Azure Arc with private endpoints? Yes, but the agent still initiates outbound connections to the private endpoint (over ExpressRoute or VPN). - Can you deploy Azure App Service on Arc? Yes, using App Service on Azure Arc, which runs on Arc-enabled Kubernetes.
How to Eliminate Wrong Answers: - If the question mentions 'migration', it's likely not Arc (use Azure Migrate). - If the question mentions 'disaster recovery', it's likely not Arc (use Azure Site Recovery). - If the question mentions 'monitoring and policy across on-prem and cloud', it's likely Arc. - If the question mentions 'GitOps', it's definitely Arc for Kubernetes.
Exam Tip: Read the scenario carefully. If the goal is to manage existing resources without moving them, and the solution involves Azure Policy or Azure Monitor, choose Arc. If the goal is to move workloads to Azure, choose Azure Migrate.
Azure Arc extends Azure Resource Manager and management services to any infrastructure (on-premises, multi-cloud, edge).
Arc agents initiate outbound HTTPS connections; no inbound ports required.
Default heartbeat interval for Arc-enabled servers is 5 minutes.
A server is marked as disconnected after 30 days of no heartbeat.
Arc-enabled Kubernetes uses GitOps (Flux) as the recommended configuration management method.
Azure Arc does not migrate workloads; it manages them in place.
Arc supports both Windows and Linux servers, and any CNCF-certified Kubernetes cluster.
You can deploy Azure App Service, Azure Functions, and Azure Logic Apps on Arc-enabled Kubernetes.
Azure Policy can be applied to Arc-enabled servers via guest configuration extensions.
Arc-enabled resources appear in Azure portal but are physically outside Azure.
These come up on the exam all the time. Here's how to tell them apart.
Azure Arc
Manages resources in their current location (on-premises, multi-cloud).
Does not move or migrate workloads.
Extends Azure management (policy, monitoring, RBAC) to non-Azure resources.
Requires agent installation on servers or Kubernetes clusters.
Use for hybrid management and governance.
Azure Migrate
Discovers and assesses on-premises workloads for migration.
Migrates workloads to Azure (e.g., VMs, databases).
Provides dependency mapping and cost estimation.
Uses appliance-based discovery (no permanent agent).
Use for migration planning and execution.
Mistake
Azure Arc moves on-premises servers into Azure.
Correct
Azure Arc does not migrate servers. It installs an agent that enables Azure management, but the server remains physically on-premises. The server becomes an Azure resource only for management purposes.
Mistake
Azure Arc requires opening inbound ports in the firewall.
Correct
Arc agents always initiate outbound HTTPS connections to Azure. No inbound ports are required, making it secure for environments with strict firewall rules.
Mistake
Arc-enabled Kubernetes clusters must be running on Azure Stack HCI.
Correct
Arc supports any CNCF-certified Kubernetes cluster, including on-premises, AWS EKS, GKE, OpenShift, etc. Azure Stack HCI is just one option.
Mistake
Azure Arc can only manage Windows servers.
Correct
Arc supports both Windows and Linux servers. The Azure Connected Machine agent is available for major Linux distributions like Ubuntu, CentOS, RHEL, and SUSE.
Mistake
GitOps is optional for Arc-enabled Kubernetes.
Correct
GitOps is the recommended and primary method for configuration management on Arc-enabled Kubernetes clusters. While you can manually apply configurations, GitOps provides declarative, version-controlled management.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Stack is a hardware appliance that runs Azure services on-premises, giving you a true Azure environment in your data center. Azure Arc, on the other hand, is a software solution that extends Azure management to existing non-Azure infrastructure (servers, Kubernetes clusters) without requiring Azure hardware. Arc does not run Azure services natively; it manages resources and can deploy some Azure services (like App Service) onto Arc-enabled Kubernetes. In short, Azure Stack is about bringing Azure to your data center; Azure Arc is about managing your data center from Azure.
Yes. You can install the Azure Connected Machine agent on an EC2 instance running Windows or Linux. The agent will register the instance as an Arc-enabled server in Azure. You can then apply Azure Policy, monitor with Azure Monitor, and use Azure Defender. The EC2 instance remains in AWS, but you manage it from Azure. This is a common multi-cloud management scenario.
The Azure Connected Machine agent continues to run locally, but it cannot send heartbeats or receive policy updates. The server remains operational. In Azure, after 30 days of no heartbeat, the server is marked as 'disconnected'. When connectivity is restored, the agent reconnects and resumes normal operation. Any policy assignments that were missed are applied during the next sync.
First, you need an Arc-enabled Kubernetes cluster. Then, you enable the App Service extension on the cluster. This can be done via the Azure portal or CLI. After the extension is installed, you can create a custom location (a namespace on the cluster) and then create App Service plans and apps within that custom location. The apps run on the on-premises cluster but are managed from Azure. This is useful for running web apps in locations with data residency requirements.
Azure Arc Resource Bridge is a lightweight Kubernetes cluster that runs on-premises and acts as a bridge between Azure and your on-premises infrastructure. It is required for some Arc services, such as Azure Stack HCI management and Arc-enabled VMware vSphere. The Resource Bridge hosts Arc resource providers that enable Azure to manage on-premises resources like VMs on vSphere or Hyper-V. It is deployed as a virtual appliance and connects outbound to Azure.
Yes. You can assign Azure Policy definitions to Arc-enabled Kubernetes clusters. The policies are enforced by the Azure Policy for Kubernetes add-on, which is installed as an extension on the cluster. For example, you can enforce that containers must not run as root, or that certain namespaces are required. The add-on audits and enforces policies based on Azure Policy definitions.
Yes, through Azure Arc-enabled SQL Server. This feature registers your on-premises SQL Server instances with Azure, enabling you to manage them from the Azure portal. You can apply policies, monitor performance, and enable security features like Azure Defender for SQL. The SQL Server instance remains on-premises, but you get a unified management experience. This is part of the Azure Arc ecosystem.
You've just covered Azure Arc-Enabled Applications — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?