General Availability: Azure Automation Hybrid Runbook Worker Extension

Infrastructure is increasingly becoming more complex as organizations operate across multiple cloud and on-premises environments. Businesses are looking for a secure and reliable management services that can consistently manage this hybrid estate. Azure Automation provides a unified platform for execution of customer provided scripts to manage Azure, Arc-enabled and multi-cloud workloads. User Hybrid Worker enables execution of these scripts directly on the machines for managing guest workloads or as a gateway to environments that are not accessible from Azure. Azure Automation announces General Availability of User Hybrid Worker extension, that is based on Virtual Machine extensions framework and provides a seamless and integrated installation experience.

Note: The extension-based Hybrid Runbook Worker only supports the User Hybrid Worker type and does not include the System Hybrid Worker required for Azure Automation Update Management. It is supported for Windows & Linux Azure VMs and Azure Arc-enabled Servers. It is also available for Azure Arc-enabled VMware vSphere VMs in preview.

Common Scenarios

• To execute Azure Automation runbooks for in-guest VM management directly on an existing Azure virtual machine (VM) and off-Azure server registered as Azure Arc-enabled server or Azure Arc-enabled VMware vSphere VM (preview). Azure Arc-enabled servers can be Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. 
• To overcome the Azure Automation sandbox limitation - the common scenarios include executing long-running operations beyond three-hour limit for cloud jobs, performing the resource-intensive automation operations, interacting with local services running on-premises or in hybrid environment, running scripts that require elevated permissions.
• To overcome organization restrictions to keep data in Azure due to governance and security reasons - if you cannot execute Automation jobs on the cloud, you can run it on an on-premises machine that is onboarded as a User Hybrid Runbook Worker.
• To automate operations on multiple off-Azure resources running on-premises or in multi-cloud environments. You can onboard one of those machines as User Hybrid Runbook Worker and target automation on the remaining machines in the local environment.
• To access other services privately from the Azure Virtual Network (VNet) without the need to open an outbound connection to the internet, you can execute runbooks on a Hybrid Worker connected to the Azure VNet.

Benefits of extension-based User Hybrid Runbook Workers over agent-based Workers

The extension-based approach greatly simplifies the installation and management of the User Hybrid Runbook Worker, removing the complexity of working with the agent-based approach. Here are some key benefits:

• Seamless onboarding – Agent-based approach for onboarding Hybrid Runbook worker is dependent on the Log Analytics agent. Extension-based User Hybrid runbook worker has no dependency on Log Analytics solution. The runbook worker can be setup using the extension approach natively from the portal without a need to login to the machines.
• Ease of Manageability – It offers native integration with ARM identity for Hybrid Runbook Worker and provides the flexibility for governance at scale through policies and templates.
• Unified experience – It offers an identical experience for managing Azure and off-Azure Arc-enabled machines.
• More secure - It uses Azure Active Directory based authentication using VM system assigned managed identities. It eliminates certificate-based authentication required for Agent-based Worker, further improving security of the VM under management.
• Multiple onboarding channels – You have the choice to onboard and manage extension-based workers through the Azure Portal, PowerShell cmdlets, Azure CLI, Bicep, ARM templates and REST API.
• Default Automatic upgrade – It offers Automatic upgrade of minor versions by default, significantly reducing the manageability of staying updated on the latest version. We recommend enabling Automatic upgrades to take advantage of any security or feature updates without manual overhead. You can also opt out of automatic upgrades at any time. Any major version upgrades are currently not supported and should be managed manually.

Call to Action

• Migrate existing agent-based User Hybrid Runbook Workers to extension-based Workers - You can migrate your existing agent-based User Hybrid Workers to extension-based Workers as both types can co-exist on the same machine. The extension-based installation does not affect the installation or management of an agent-based Worker. Once you are confident with the extension-based Hybrid Worker experience and use, you can remove the agent-based Worker.
• Upgrade Hybrid Worker extension to latest version - If you had installed Hybrid Worker extension during public preview, you must upgrade it to the latest version. Since it is a major version upgrade from preview to GA, it must be managed manually.
• Add more machines as extension-based Hybrid Runbook Workers and manage your hybrid and multi-cloud workloads using a single orchestration service.

Additional Resources

• Hybrid Runbook Worker overview
• Deploy extension-based Windows or Linux User Hybrid Runbook Worker
• Azure Automation in a hybrid environment

If you have any questions or suggestions, please reach out to Azure Automation Q&A forum.