Azure Arc Deployment
In this initiative I led the deployment of Azure Arc to manage a hybrid estate of Microsoft SQL Server instances spanning hundreds of on-premises and cloud-hosted servers. By unifying SQL infrastructure visibility and automating policy enforcement, the project delivered a 20% reduction in licensing costs and significantly streamlined asset compliance tracking. The work combined deep Azure administration expertise with enterprise IT automation practices and leveraged AI-generated deployment scaffolds to accelerate implementation while maintaining production-grade stability.

Lessons Learned

Permissions

The required permissions must be set thoroughly and are documented at https://learn.microsoft.com/azure/azure-arc/servers/prerequisites

Make sure that:

  • Microsoft.AzureArcData resource provider is registered
  • Service principal has access to one or more Azure Connected Machine Onboarding role and:
    • Microsoft.AzureArcData/register/action
    • Microsoft.HybridCompute/machines/extensions/read
    • Microsoft.HybridCompute/machines/extensions/write
    • Microsoft.Resources/deployments/validate/action

Prerequisites for SQL Extensions are more specific: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/prerequisites?view=sql-server-ver16&tabs=azure#before-you-deploy

Azure Arc Agent vs Azure Arc SQL Extension

First of all, Azure Arc Agent and Azure Arc SQL Extension are separate products, apparently created by separate teams. Installing Azure Arc Agent is a prerequisite for the SQL Extension.

Per Microsoft documentation , it takes 10 minutes for the agent to automatically discover and install the SQL extension. However, this doesn’t always happen by itself.

On-Premises Servers Accessing Azure via HTTP Proxy

Both Azure ARC Agent and SQL Extension support access through HTTP proxy for environments behind firewalls that do not have direct access to the Azure cloud. However, they behave very differently by default.

The typical installation script code is similar in both cases:

# Install the hybrid agent
& "$env:TEMP\install_windows_azcmagent.ps1" -proxy "http://<proxy>:<port>";
if ($LASTEXITCODE -ne 0) { exit 1; }
# Run connect command
& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --service-principal-id "$ServicePrincipalId" --service-principal-secret "$ServicePrincipalClientSecret" --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";

# Install the SQL extention
& "$env:ProgramW6432\AzureExtensionForSQLServer\AzureExtensionForSQLServer.exe" --subId $subId --resourceGroup $resourceGroup --location $location --tenantid $servicePrincipalTenantId --service-principal-app-id $servicePrincipalAppId --service-principal-secret $servicePrincipalSecret --proxy $proxy --licenseType $licenseType

However, in this scenario the ARC Agent will work but the SQL Extension will not. The reason is that the SQL Extension will try to access the ARC Agent running on localhost via the HTTP proxy. The trick is to set the NO_PROXY environment variable at the machine level.

[Environment]::SetEnvironmentVariable("NO_PROXY", "localhost,127.0.0.1", "Machine")

Proxy Environment Variables for ARC

Setting environment variables for ARC Agent and SQL Extension:

[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://<proxy>:<port>", "Machine")
$env:HTTPS_PROXY = [System.Environment]::GetEnvironmentVariable("HTTPS_PROXY", "Machine")
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://<proxy>:<port>", "Machine")
$env:HTTP_PROXY = [System.Environment]::GetEnvironmentVariable("HTTP_PROXY", "Machine")
[Environment]::SetEnvironmentVariable("NO_PROXY", "localhost,127.0.0.1", "Machine")
$env:NO_PROXY = [System.Environment]::GetEnvironmentVariable("NO_PROXY", "Machine")

Endpoints to Allow in Proxy ACL

aka.ms
download.microsoft.com
packages.microsoft.com
login.windows.net
login.microsoftonline.com
*.login.microsoft.com
pas.windows.net
management.azure.com
*.his.arc.azure.com
*.guestconfiguration.azure.com
guestnotificationservice.azure.com
*.guestnotificationservice.azure.com
*.servicebus.windows.net
*.servicebus.windows.net
*.waconazure.com
*.blob.core.windows.net
*.arcdataservices.com
*.azurewebsites.net
www.microsoft.com
*.web.core.windows.net

Clean Uninstall

Uninstalling ARC agent and Extension in Control Panel is not enough. Remove the following directories:

  • C:\ProgramData\AzureConnectedMachineAgent
  • C:\ProgramData\GuestConfig
  • C:\Program Files\AzureConnectedMachineAgent
  • C:\Program Files\AzureExtensionForSQLServer

Then reboot the system.

Azure Resource Graph Explorer Query

resources
| where type =~ 'Microsoft.AzureArcData/SqlServerInstances'
| extend 
    licenseType = properties.licenseType,
    edition = properties.edition
| project 
    name,
    resourceGroup,
    location,
    licenseType,
    edition,
    status = properties.status,
    version = properties.version,
    coreCount = properties.vCores,
    lastSyncTime = properties.lastSyncTime
| order by resourceGroup asc, name asc