Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs.
For example, VM extensions can be used to enable functionality such as:
Collect log data for analysis with Azure Monitor Logs by enabling the Azure Monitor agent VM extension.
Download and run scripts on hybrid connected machines by using the Custom Script extension. This extension is useful for post-deployment configuration, software installation, or any other configuration or management tasks.
Automatically refresh certificates stored in Azure Key Vault.
With Azure Arc-enabled servers, you can deploy, remove, and update Azure VM extensions to non-Azure Windows and Linux VMs. This ability simplifies the management of your hybrid machines through their life cycle. You can deploy VM extensions to hybrid machines managed by Azure Arc-enabled servers via the following methods:
Many VM extensions can be configured for automatic upgrades.
VM extension functionality is available only in the supported regions. Be sure to onboard your machine in one of these regions.
For the regional availabilities of Azure services and VM extensions that are available for Azure Arc-enabled servers, refer to the Azure Global Product Availability Roadmap.
You can configure lists of the extensions that you want to allow and block on servers. For more information, see Extension allowlists and blocklists.
Many VM extensions are supported with Azure Arc-enabled servers. While the lists shown here are not exhaustive, they include some of the most popular extensions that you can use with Azure Arc-enabled servers.
The following table lists some of the key VM extensions that are available for Azure Arc-enabled servers running Windows. For more information about usage and support, see the "additional information" links.
| Extension | Publisher | Type | Additional information |
|---|---|---|---|
| Microsoft Antimalware extension | Microsoft.Azure.Security | IaaSAntimalware | Microsoft Antimalware extension for Windows |
| Custom Script extension | Microsoft.Compute | CustomScriptExtension | Windows Custom Script Extension |
| Azure Monitor agent | Microsoft.Azure.Monitor | AzureMonitorWindowsAgent | Deployment options for Azure Monitor agent on Azure Arc-enabled servers |
| Azure Key Vault extension for Windows | Microsoft.Azure.Key.Vault | KeyVaultForWindows | Key Vault virtual machine extension for Windows |
| Azure Automation Hybrid Runbook Worker extension | Microsoft.Compute | HybridWorkerForWindows | Deploy an extension-based user Hybrid Runbook Worker (to execute runbooks locally) |
| Windows OS Update Extension | Microsoft.SoftwareUpdateManagement | WindowsOsUpdateExtension | Overview of Azure Update Manager |
| Windows Patch extension | Microsoft.CPlat.Core | WindowsPatchExtension | Automatic guest patching for Azure virtual machines and scale sets |
| Network Watcher agent | Microsoft.Azure.NetworkWatcher | NetworkWatcherAgentWindows | Azure Network Watcher overview |
The following table lists some of the key VM extensions that are available for Azure Arc-enabled servers running Linux. For more information about usage and support, see the "additional information" links.
| Extension | Publisher | Type | Additional information |
|---|---|---|---|
| Custom Script extension | Microsoft.Azure.Extensions | CustomScript | Linux Custom Script Extension version 2 |
| Azure Monitor agent | Microsoft.Azure.Monitor | AzureMonitorLinuxAgent | Deployment options for Azure Monitor agent on Azure Arc-enabled servers |
| Azure Key Vault extension for Linux | Microsoft.Azure.Key.Vault | KeyVaultForLinux | Key Vault virtual machine extension for Linux |
| Azure Automation Hybrid Runbook Worker extension | Microsoft.Compute | HybridWorkerForLinux | Deploy an extension-based user Hybrid Runbook Worker (to execute runbooks locally) |
| Linux OS Update Extension | Microsoft.SoftwareUpdateManagement | LinuxOsUpdateExtension | Overview of Azure Update Manager |
| Linux Patch Extension | Microsoft.CPlat.Core | LinuxPatchExtension | Automatic guest patching for Azure virtual machines and scale sets |
| Network Watcher agent | Microsoft.Azure.NetworkWatcher | NetworkWatcherAgentLinux | Azure Network Watcher overview |
| Microsoft Entra login extension | Microsoft.Azure.ActiveDirectory | AADSSHLoginForLinux | SSH access to Azure Arc-enabled servers |
Review the documentation for each VM extension referenced in the previous tables to understand its network and system requirements beyond the general prerequisites and networking requirements for Arc-enabled servers. This effort can help prevent connectivity issues with an Azure service or feature that relies on that VM extension.
To deploy an extension to Azure Arc-enabled servers, a user needs the following permissions:
microsoft.hybridcompute/machines/readmicrosoft.hybridcompute/machines/extensions/readmicrosoft.hybridcompute/machines/extensions/write
The role Azure Connected Machine Resource Administrator includes the permissions required to deploy extensions. It also includes permission to delete Azure Arc-enabled server resources.
Azure Arc-enabled servers with one or more VM extensions installed can be moved between resource groups, or to another Azure subscription, without experiencing any impact to their configuration. The source and destination scopes must exist within the same Microsoft Entra tenant. For more information about moving resources and considerations before you proceed, see Move resources to a new resource group or subscription.
- You can deploy, manage, and remove VM extensions by using the Azure CLI, Azure PowerShell, the Azure portal, or Azure Resource Manager templates.