混合 Runbook 辅助角色概述Hybrid Runbook Worker overview

Azure 自动化中的 Runbook 可能无权访问其他云或本地环境中的资源,因为它们在 Azure 云平台中运行。Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. 利用 Azure 自动化的混合 Runbook 辅助角色功能,既可以直接在托管角色的计算机上运行 Runbook,也可以对环境中的资源运行 Runbook,从而管理这些本地资源。You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the machine that's hosting the role and against resources in the environment to manage those local resources. Runbook 在 Azure 自动化中进行存储和管理,然后发送到一台或多台指定的计算机。Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned machines.

下图说明了此功能:The following image illustrates this functionality:

混合 Runbook 辅助角色概述

混合 Runbook 辅助角色可以在 Windows 或 Linux 操作系统上运行。A Hybrid Runbook Worker can run on either the Windows or the Linux operating system. 这取决于向 Azure Monitor Log Analytics 工作区报告的 Log Analytics 代理It depends on the Log Analytics agent reporting to an Azure Monitor Log Analytics workspace. 工作区不仅用于监视计算机是否运行支持的操作系统,还可以用于下载混合 Runbook 辅助角色所需的组件。The workspace is not only to monitor the machine for the supported operating system, but also to download the components required for the Hybrid Runbook Worker.

每个混合 Runbook 辅助角色都是你在安装代理时指定的混合 Runbook 辅助角色组的成员。Each Hybrid Runbook Worker is a member of a Hybrid Runbook Worker group that you specify when you install the agent. 一个组可以包含一个代理,但是可以在一个组中安装多个代理,以实现高可用性。A group can include a single agent, but you can install multiple agents in a group for high availability. 每台计算机都可以将一个混合辅助角色报告托管到一个自动化帐户。Each machine can host one hybrid worker reporting to one Automation account.

在混合 Runbook 辅助角色中启动 Runbook 时,可以指定该辅助角色会在其中运行的组。When you start a runbook on a Hybrid Runbook Worker, you specify the group that it runs on. 组中的每个辅助角色都会轮询 Azure 自动化以查看是否有可用作业。Each worker in the group polls Azure Automation to see if any jobs are available. 如果作业可用,获取作业的第一个辅助角色将执行该作业。If a job is available, the first worker to get the job takes it. 作业队列的处理时间取决于混合辅助角色硬件配置文件和负载。The processing time of the jobs queue depends on the hybrid worker hardware profile and load. 不能指定特定的辅助角色。You can't specify a particular worker.

使用混合 Runbook 辅助角色(而不是 Azure 沙箱),因为它对磁盘空间、内存或网络套接字没有许多沙盒限制Use a Hybrid Runbook Worker instead of an Azure sandbox because it doesn't have many of the sandbox limits on disk space, memory, or network sockets. 对混合辅助角色的限制仅与辅助角色自己的资源相关。The limits on a hybrid worker are only related to the worker's own resources.

备注

混合 Runbook 辅助角色不受公平份额时间限制,而 Azure 沙盒受限于此限制。Hybrid Runbook Workers aren't constrained by the fair share time limit that Azure sandboxes have.

混合 Runbook 辅助角色安装Hybrid Runbook Worker installation

安装混合 Runbook 辅助角色的过程取决于操作系统。The process to install a Hybrid Runbook Worker depends on the operating system. 下表定义了部署类型。The table below defines the deployment types.

操作系统Operating System 部署类型Deployment Types
WindowsWindows 自动Automated
手动Manual
LinuxLinux PythonPython

建议的安装方法是使用 Azure 自动化 Runbook 来完全自动执行 Windows 计算机的配置过程。The recommended installation method is to use an Azure Automation runbook to completely automate the process of configuring a Windows machine. 如果这种方法不可行,你可以执行分步过程来手动安装和配置角色。If that isn't feasible, you can follow a step-by-step procedure to manually install and configure the role. 对于 Linux 计算机,运行 Python 脚本,在计算机上安装代理。For Linux machines, you run a Python script to install the agent on the machine.

网络规划Network planning

要使混合 Runbook 辅助角色连接并注册到 Azure 自动化,必须让其有权访问此部分所述的端口号和 URL。For the Hybrid Runbook Worker to connect to and register with Azure Automation, it must have access to the port number and URLs described in this section. 辅助角色还必须有权访问 Log Analytics 代理所需的端口和 URL 才能连接到 Azure Monitor Log Analytics 工作区。The worker must also have access to the ports and URLs required for Log Analytics agent to connect to the Azure Monitor Log Analytics workspace.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

混合 Runbook 辅助角色需要以下端口和 URL:The following port and URLs are required for the Hybrid Runbook Worker:

  • 端口:只需使用 TCP 443 即可进行出站 Internet 访问Port: Only TCP 443 required for outbound internet access
  • 全局 URL:*.azure-automation.cnGlobal URL: *.azure-automation.cn
  • 代理服务:https://<workspaceId>.agentsvc.azure-automation.cnAgent service: https://<workspaceId>.agentsvc.azure-automation.cn

使用代理服务器Proxy server use

如果使用代理服务器在 Azure 自动化与运行 Log Analytics 代理的计算机之间通信,请确保能够访问相应的资源。If you use a proxy server for communication between Azure Automation and machines running the Log Analytics agent, ensure that the appropriate resources are accessible. 来自混合 Runbook 辅助角色和自动化服务的请求的超时为 30 秒。The timeout for requests from the Hybrid Runbook Worker and Automation services is 30 seconds. 三次尝试后,请求失败。After three attempts, a request fails.

防火墙使用Firewall use

如果使用防火墙来限制对 Internet 的访问,则必须将防火墙配置为允许访问。If you use a firewall to restrict access to the internet, you must configure the firewall to permit access. 如果将 Log Analytics 网关用作代理,请确保为混合 Runbook 辅助角色配置 Log Analytics 网关。If using the Log Analytics gateway as a proxy, ensure that it is configured for Hybrid Runbook Workers. 请参阅为自动化混合辅助角色配置 Log Analytics 网关See Configure the Log Analytics gateway for Automation Hybrid Workers.

服务标记Service tags

Azure 自动化从服务标记 GuestAndHybridManagement 开始支持 Azure 虚拟网络服务标记。Azure Automation supports Azure virtual network service tags, starting with the service tag GuestAndHybridManagement. 可以在网络安全组Azure 防火墙中使用服务标记来定义网络访问控制。You can use service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定 IP 地址。Service tags can be used in place of specific IP addresses when you create security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 GuestAndHybridManagement),可以允许或拒绝自动化服务的流量。By specifying the service tag name GuestAndHybridManagement in the appropriate source or destination field of a rule, you can allow or deny the traffic for the Automation service. 此服务标记不支持通过将 IP 范围限制到特定区域来实现更精细的控制。This service tag does not support allowing more granular control by restricting IP ranges to a specific region.

Azure 自动化服务的服务标记仅提供用于以下场景的 IP:The service tag for the Azure Automation service only provides IPs used for the following scenarios:

  • 从虚拟网络内触发 WebhookTrigger webhooks from within your virtual network
  • 允许混合 Runbook 辅助角色或 VNet 中的 State Configuration 代理与自动化服务通信Allow Hybrid Runbook Workers or State Configuration agents on your VNet to communicate with the Automation service

备注

服务标记 GuestAndHybridManagement 当前不支持在 Azure 沙盒中执行 runbook 作业,仅允许直接在混合 Runbook 辅助角色中执行。The service tag GuestAndHybridManagement currently doesn't support runbook job execution in an Azure sandbox, only directly on a Hybrid Runbook Worker.

混合 Runbook 辅助角色上的更新管理Update Management on Hybrid Runbook Worker

启用 Azure 自动化更新管理后,连接到 Log Analytics 工作区的任何计算机会自动配置为混合 Runbook 辅助角色。When Azure Automation Update Management is enabled, any machine connected to your Log Analytics workspace is automatically configured as a Hybrid Runbook Worker. 每个辅助角色能够支持以更新管理为目标的 Runbook。Each worker can support runbooks targeted at update management.

以这种方式配置的计算机不会注册到任何已在自动化帐户中定义的混合 Runbook 辅助角色组。A machine configured this way is not registered with any Hybrid Runbook Worker groups already defined in your Automation account. 可将计算机添加到混合 Runbook 辅助角色组,但必须对更新管理和混合 Runbook 辅助角色组成员身份使用同一帐户。You can add the machine to a Hybrid Runbook Worker group, but you must use the same account for both Update Management and the Hybrid Runbook Worker group membership. 此功能已添加到 7.2.12024.0 版本的混合 Runbook 辅助角色。This functionality was added to version 7.2.12024.0 of Hybrid Runbook Worker.

混合 Runbook 辅助角色的更新管理地址Update Management addresses for Hybrid Runbook Worker

除了混合 Runbook 辅助角色所需的标准地址和端口之外,更新管理还具有网络规划部分下所述的其他网络配置要求。On top of the standard addresses and ports required for the Hybrid Runbook Worker, Update Management has additional network configuration requirements described under the network planning section.

混合 Runbook 辅助角色上的 Azure Automation State ConfigurationAzure Automation State Configuration on a Hybrid Runbook Worker

可以在混合 Runbook 辅助角色上运行 Azure Automation State ConfigurationYou can run Azure Automation State Configuration on a Hybrid Runbook Worker. 若要管理支持混合 Runbook 辅助角色的服务器的配置,必须将这些服务器添加为 DSC 节点。To manage the configuration of servers that support the Hybrid Runbook Worker, you must add the servers as DSC nodes. 请参阅启用要通过 Azure Automation State Configuration 进行管理的计算机See Enable machines for management by Azure Automation State Configuration.

混合 Runbook 辅助角色上的 RunbookRunbooks on a Hybrid Runbook Worker

可以使用 Runbook 来管理本地计算机上的资源,或者针对部署了混合 Runbook 辅助角色的本地环境中的资源运行 Runbook。You might have runbooks that manage resources on the local machine or run against resources in the local environment where a Hybrid Runbook Worker is deployed. 在这种情况下,可以选择在混合辅助角色上(而不是在自动化帐户中)运行 Runbook。In this case, you can choose to run your runbooks on the hybrid worker instead of in an Automation account. 在混合 Runbook 辅助角色上运行的 Runbook 与在自动化帐户中运行的 Runbook 具有相同的结构。Runbooks run on a Hybrid Runbook Worker are identical in structure to those that you run in the Automation account. 请参阅在混合 Runbook 辅助角色上运行 RunbookSee Run runbooks on a Hybrid Runbook Worker.

混合 Runbook 辅助角色作业Hybrid Runbook Worker jobs

混合 Runbook 辅助角色作业在 Windows 上的本地系统帐户下运行,或在 Linux 上的 nxautomation 帐户下运行。Hybrid Runbook Worker jobs run under the local System account on Windows or the nxautomation account on Linux. Azure 自动化处理混合 Runbook 辅助角色上的作业,这与 Azure 沙箱中运行的作业稍有不同。Azure Automation handles jobs on Hybrid Runbook Workers somewhat differently from jobs run in Azure sandboxes. 请参阅Runbook 执行环境See Runbook execution environment.

如果混合 Runbook 辅助角色托管计算机重新启动,则任何正在运行的 Runbook 将从头重启,或者从 PowerShell 工作流 Runbook 的最后一个检查点重启。If the Hybrid Runbook Worker host machine reboots, any running runbook job restarts from the beginning, or from the last checkpoint for PowerShell Workflow runbooks. 如果某个 Runbook 作业重启了 3 次以上,则它会暂停。After a runbook job is restarted more than three times, it is suspended.

混合 Runbook 辅助角色的 Runbook 权限Runbook permissions for a Hybrid Runbook Worker

由于它们访问的是非 Azure 资源,因此在混合 Runbook 辅助角色上运行的 Runbook 不能使用通常用于针对 Azure 资源进行 Runbook 身份验证的身份验证机制。Since they access non-Azure resources, runbooks running on a Hybrid Runbook Worker can't use the authentication mechanism typically used by runbooks authenticating to Azure resources. Runbook 可以针对本地资源提供其自己的身份验证,也可以配置使用 Azure 资源的托管标识的身份验证。A runbook either provides its own authentication to local resources, or configures authentication using managed identities for Azure resources. 还可以指定运行方式帐户,为所有 Runbook 提供用户上下文。You can also specify a Run As account to provide a user context for all runbooks.

后续步骤Next steps