2. Can virtual machines (VMs) running in
Microsoft Azure be monitored from on-
premises?
Yes, a VM running in Windows Azure IaaS is essentially a
VM running an host OS, and as such the VM and any
applications that reside on it can be monitored.
We had used System Center Operation Manager (2012 R2)
to accomplice this monitoring requirement.
3. Challenges
1) Communication: Cross-premises connectivity appropriate
ports (5723) must be opened to facilitate this communication
2) Authentication: The Azure VM is outside of the
trusted environment of the SCOM Management group.
4. Solution
Communication:
i) A Site-to-Site (S2S) VPN connection : Need a VPN device
ii) Point-to-Site (P2S) VPN connection
iii) Express Gateway
Authentication:
i) Kerberos Authentication
ii) Certificate based Authentication.
We will have to make use of certificates for mutual
authentication with the on-premise Management Server. If
however this server were in the same trusted environment as
the OpsMgr management group, Kerberos would be used for
authentication.
6. The high-level steps for
deploying the agent to the
untrusted VM in Azure
1. Ensure that you can connect to the Management Server
from the Azure VM over port 5723
2. Import the root and intermediate certificate on the
Azure VM(s)
3. Generate and Install the individual client certificate(s)
on the Azure VM(s)
4. Manually Install the OpsMgr agents on the Azure VM
5. Run the MOMCertImport approval tool on the Azure VM
6. Approve the Pending Agents in the OpsMgr Console