Agents and Azure management
If you’ve spent any time managing IT infrastructure, then you’re likely familiar with management agents. An agent is a discreet application designed to run in the background and perform some type of management or monitoring task. Agents are used for antivirus, backups, intrusion detection and prevention, remote management, monitoring tasks, and more.
However, they aren’t without some drawbacks, and it’s important to be aware of the advantages and disadvantages of agents before implementing them.
Here’s what we’ll cover:
- The pros and cons of using agents
- How agents work in Azure
- How Nerdio leverages Azure agents to manage Azure Virtual Desktop (AVD) and other Azure-connected resources
- Management outside of Azure with Azure Arc
Explore our agent-less Nerdio Manager platform and see how we interact with native Azure agents by connecting with our team for a quick and easy demo.
Advantages of using agents
In the world of IT, agents are often necessary for certain functions, and there are some advantages to using purpose-built agents for managing IT infrastructure. For example:
- Real-time monitoring for systems and applications: The agent does this by establishing a persistent connection with a centralized management platform for live communication
- Agents provide automation and proactively resolve issues: If a problem is detected, the agent can run scripts or take other steps to resolve the issue and send a notification indicating the problem. Consider a security agent that monitors for rogue processes: if an unexpected process starts, the agent can stop it or isolate its actions and notify the security team of the unexpected behavior they need to investigate.
Alternatives to using agents
However, it is possible to manage systems without agents. This can help reduce your IT maintenance needs. Simple Network Management Protocol (SNMP) and Windows Remote Management (WinRM) are designed for remote management. Both can monitor and manage servers and other network devices.
Although useful for agentless monitoring, agentless management has some drawbacks. First, there is limited support for real-time communication. An SNMP client can send a type of notification called a “trap” if a specific condition exists, but that trap circumstance must be configured to identify the condition. New issues may occur that have not been configured and, therefore, will not trigger an alert.
Monitoring without an agent requires a process of frequent polling devices to retrieve status information. Periodic polling is not the same as real-time monitoring. The time between the polling interval is a time when services are not actively monitored.
Disadvantages of using agents
With all the advantages of an agent, it may seem logical to use them for all management activities. There are, however, some major drawbacks to using agents. Let’s break some of them down:
Agents can be a drain on resources
Each agent requires some amount of system resources to run. While one agent may not impact system performance, it’s not uncommon to have multiple agents, each requiring additional system resources. An environment may have separate agents for antivirus, application and patch management, automation, and remote management. Multiple agents add overhead that may impact performance.
Agents require maintenance and additional management
On top of overhead, each agent needs to be deployed and updated. The company that provides the agent may have an automated process for deploying and updating agents. Agent deployments and updates must be monitored, and many lack the ability to schedule these activities. Plus, any deployment and update failures must be remediated. These activities add additional management overhead to an organization’s IT staff.
Agents aren't always a compatible option
Compatibility is also a factor when using agents in an environment. An organization may have systems running Windows, macOS, Linux, and other operating systems. The organization’s software provider or vendor must support all systems in a multi-platform environment, or the organization will require different software for different platforms, adding to the management overhead.
Agents can pose security risks
A software vendor supplies monitoring and management agents, and organizations depend on the vendor to update the agent. Some may consider the security and privacy risks associated with adding third-party agents to an organization’s critical systems. A poorly configured or vulnerable agent could provide an entry point for cyberattacks.
Azure Agent
Now that we’ve covered the pros and cons of using agents, let’s break down how Azure uses agents to manage Infrastructure as a Service (IaaS) virtual Machines (VMs.) Every Windows and Linux VM in Azure has an Azure agent installed. The agent is part of the Azure image and facilitates communication between the server and the Azure management plane. The Azure agent is used for management tasks, including monitoring, networking, and running extensions on the VM.
The Azure agent enables running extensions from the Azure management plane on the VM. An Azure VM extension is an application or code that provides post-deployment configuration and automation on Azure VMs. Azure hosts many extensions related to VM configuration, monitoring, security, and other utilities. These extensions are available from Microsoft, or a third party can wrap applications and scripts into an extension, providing an easy way to run the application or script on the VM.
Azure tech tip:
The client Azure agent communicates with Azure over the WireServer IP address, and Azure customers can use any range of private IP addresses on a VNet (virtual network). The WireServer IP address is 168.63.129.16, and because it’s part of a public address space, the IP won’t overlap with any private address ranges a customer may use in Azure. Additionally, each instance of the WireServer IP address is dedicated to a VNet and is only available from within that VNet. Furthermore, alongside agent communication with Azure, the WireServer IP address also provides heartbeat messages, DNS, and DHCP services.
Access to the WireServer IP address 168.63.129.16 is critical to the health of an Azure VM.
Nerdio and agents
Nerdio does not require an agent to manage Azure VMs, including AVD session hosts. Instead, Nerdio uses custom extensions and the Azure Agent to run automation and management tasks. For example, a Nerdio Scripted Action that configures session host registry settings runs on the VM using the Azure agent and a custom extension.
By leveraging the Azure agent, Nerdio does not need to deploy its own dedicated agent, which reduces burden on your organization’s IT department and enhances security. There is no additional agent to manage or overhead on the system, and Nerdio utilizes extensions on session hosts and Scripted Actions in Azure to manage AVD.
Azure Arc Agent
Extensions and the Azure agent have the advantage of providing centralized management for a range of Azure tasks without needing an additional agent. The downside is that the Azure agent is only available on Azure VMs. How can we leverage similar management with servers on-premises or in other clouds? The solution is to extend Azure management outside Azure with an Azure Arc agent.
Azure Arc is a bridge between on-premises and other clouds to Azure, and it’s available for Windows and Linux. Azure Arc extends management functionality from the Azure management plane to physical and virtual servers outside Azure. Arc-enabled servers are available in the Azure portal along with Azure VMs. Once Arc is enabled on a Windows or Linux server, many of the same management features available to Azure VMs, such as extensions, can be used on VMs outside Azure.
One example of extending management outside of Azure is with Azure Automation. Azure Arc and Azure Automation provide a feature-rich automation platform that extends from Azure to an on-premises or multi-cloud environment. Azure Automation leverages the Arc Agent to deploy a hybrid worker extension on a computer inside a private network. The hybrid worker is a service that links a private network to Azure. A centralized collection of scripts called runbooks are created and managed in Azure, and they run in Azure or on hybrid workers in the private network.
Once the hybrid worker is in place, Azure Automation can tackle management tasks, like provisioning and deprovisioning users or monitoring systems. It’s also possible to link SaaS-based management systems, such as a helpdesk ticketing system, to Azure Automation. If a service desk ticket is received indicating a problem with an application, a runbook could be triggered that checks a service and restarts it if needed.
Summary
Agents are an essential part of managing an IT environment, but they come with management and security considerations. Each Azure VM has an Azure agent used to manage VMs, including running extensions on the VM. Nerdio does not use dedicated agents to manage Azure and Azure Virtual Desktops. Instead, Nerdio uses the Azure VM Agent to run custom management extensions on the VM.
Azure Arc extends Azure management outside of Azure to Windows and Linux servers on-premises and in other clouds. Once the Azure Arc agent is installed on a server, it appears in the Azure portal and can be managed with native Azure VMs.
Not sure what will work best for your organization or MSP? We’re here to help! Explore our agent-less Nerdio Manager platform and see how we interact with native Azure agents by connecting with our team for a quick and easy demo.
