Hybrid: Azure Arc and connecting environments
Hardly anyone today is "cloud only" or "on-prem only." The reality is hybrid — machines in the data center, resources in Azure, AWS and GCP, joined into a single organism. Azure Arc is Microsoft's tool for managing it all from one plane — and an important element of the ecosystem in which ZEUS operates.
What Azure Arc is
Azure Arc extends the Azure management plane (ARM) to resources outside Azure: on-prem servers, VMs in other clouds, Kubernetes clusters, and even databases. Once the agent is installed, a machine becomes an Arc-enabled resource and appears in the Azure portal like a native resource.
# Połączenie serwera on-prem do Azure Arc (po instalacji agenta)
azcmagent connect \
--resource-group rg-arc \
--tenant-id <tenant-id> \
--subscription-id <sub-id> \
--location westeurope
What Arc provides
| Capability | Benefit |
|---|---|
| Inventory in ARM | on-prem machines visible like Azure resources |
| Azure Policy | enforcing policies on hosts outside Azure |
| Defender for Cloud | protection and posture for on-prem servers |
| Update Management | central patch management |
| GitOps for k8s | consistent deployments on hybrid clusters |
Tip: Arc-enabled servers with Defender for Servers enabled provide the same level of security telemetry for on-prem machines as for VMs in Azure. This is a real bridge between the on-prem world and cloud posture.
Hybrid patterns
- Hybrid identity — Entra ID Connect synchronizes on-prem AD with Entra ID, giving SSO and a single directory (see lesson 01 on AD).
- Hybrid networking — site-to-site VPN or ExpressRoute connect the networks (lesson 04).
- Hybrid management — Azure Arc provides a single plane for resources from different places.
The limits of Arc
Arc is a bridge to the Microsoft ecosystem. It does not natively cover deep VMware vCenter inventory, raw LDAP/ADFS, or the specific WinRM telemetry the way a dedicated connector does. That is why a complete on-prem picture requires a tool that joins both worlds.
How ZEUS sees it
ZEUS reads Arc-enabled resources through the same Azure connector (ARM, Resource Graph, Defender — see the Azure track, lesson 07) as native cloud resources — so on-prem machines connected to Arc are visible automatically. At the same time the ZEUS on-prem connector reaches deeper where Arc does not: directly to AD/ADFS, LDAP, vCenter and WinRM through a reverse-SSH tunnel. These two approaches complement each other, giving one coherent view of the entire hybrid environment — regardless of where a machine physically sits.
In the final lesson of this track we will see the full mechanics of the ZEUS on-premise connector.