I want to configure Azure Automation Hybrid Worker on a VM that is not connected to the internet. In this case, I plan to move the installed path of PowerShell 7 from another PC. To install Azure PowerShell, I will use the command Install-Module -Name Az -Repository PSGallery -Force on a PC with internet access, and then copy and paste the installed module's path to the offline VM. Will this satisfy my requirements? Also, can Azure Automation Hybrid Worker be used on a VM with all internet access denied? Or if I attach the Automation service tag to the NSG and allow outbound traffic, will that make it possible?

Hello , Welcome to MS Q&A Azure Automation Hybrid Runbook Worker requires internet access to communicate with Azure Automation services. If all internet access is denied on a VM, the Hybrid Runbook Worker will not be able to function properly, as it needs to connect to various Azure endpoints. However, if you attach the Automation service tag to the Network Security Group (NSG) and allow outbound traffic, it will enable the necessary communication with Azure Automation services. This setup will allow the Hybrid Runbook Worker to function correctly even if other internet access is restricted. References: Automation Hybrid Runbook Worker overview Runbook execution in Azure Automation Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in Azure Automation Please let us know if any question Kindly accept answer if it helps Thanks Deepanshu

Configuring Azure Automation Hybrid Worker on an offline VM

Accepted answer

Deepanshukatara-6769 11,625 Reputation points

2024-11-25T09:02:13.2733333+00:00
Hello , Welcome to MS Q&A

Azure Automation Hybrid Runbook Worker requires internet access to communicate with Azure Automation services. If all internet access is denied on a VM, the Hybrid Runbook Worker will not be able to function properly, as it needs to connect to various Azure endpoints.

However, if you attach the Automation service tag to the Network Security Group (NSG) and allow outbound traffic, it will enable the necessary communication with Azure Automation services. This setup will allow the Hybrid Runbook Worker to function correctly even if other internet access is restricted.

References:

Automation Hybrid Runbook Worker overview

Runbook execution in Azure Automation

Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in Azure Automation

Please let us know if any question

Kindly accept answer if it helps

Thanks
Deepanshu
Please sign in to rate this answer.
Yu-Jeong Seo 170 Reputation points

2024-11-26T00:25:49.2666667+00:00

Hello, @Deepanshukatara-6769
I am curious whether it is possible to copy and paste the path of PowerShell 7 installed on another PC to install Azure Automation Hybrid Worker and Azure PowerShell, and to transfer the module path created by running Install-Module -Name Az -Repository PSGallery -Force from another PC to use the Hybrid Worker (in a VM without internet access). I plan to use the Hybrid Worker service tag.

Yu-Jeong Seo 170 Reputation points

2024-11-26T08:59:38.8833333+00:00

@Deepanshukatara-6769 Even though I have an outbound rule allowing the service tag GuestAndHybridManagement with priority 100 (allowing Any, Any) and outbound all deny rule at priority 500, the Hybrid Worker is still not functioning correctly. Are there any additional things I should check?

Deepanshukatara-6769 11,625 Reputation points

2024-11-26T09:17:55.79+00:00

Answer to 1st comment , yes it is possible but solution is bit complex. You can download the necessary PowerShell modules, such as Az, on a machine with internet access and then copy them to a USB device. After that, you can transfer the modules to the Azure Automation Hybrid Worker in the VM without internet access.

To do this, follow these steps:

Download the required modules on a connected machine using the Install-Module command.

Copy the downloaded packages to a USB device.

On the disconnected workstation (Hybrid Worker), copy the packages from the USB device to a designated location.

You may need to manually bootstrap the NuGet provider on the disconnected workstation.

Register the location of the copied packages as a repository and install the modules from there.

This process allows you to effectively use the modules on a machine that does not have internet access.

References:

Install PowerShell Az and Azure Stack modules for Azure Stack Hub

Install PowerShell AzureRM module for Azure Stack HubI

Deepanshukatara-6769 11,625 Reputation points

2024-11-26T09:23:22.9333333+00:00

Reply to 2nd comment of user -->

If the Hybrid Worker is not functioning correctly despite having an outbound rule that allows the service tag GuestAndHybridManagement, there could be several underlying issues. Here are some potential causes and resolutions:

Authentication Issues: Ensure that the runbooks can authenticate with local resources. If there are issues with credentials or permissions, this could prevent proper operation.

Network Configuration: Verify that the Hybrid Worker has outbound access to *.azure-automation.net on port 443. If there are network restrictions or firewall rules that block this access, it could lead to failures.

Here’s how you can do it:

Open PowerShell on the Hybrid Worker machine.

Run the following command:

Test-NetConnection -ComputerName "www.azure-automation.net" -Port 443

This command checks the connectivity to www.azure-automation.net on port 443. If the connection is successful, it indicates that the Hybrid Worker has the necessary outbound access.

If these areas are checked and the issue persists, further investigation into logs and error messages may be necessary to identify the specific cause of the malfunction.

References:

Troubleshoot agent-based Hybrid Runbook Worker issues in Automation

Yu-Jeong Seo 170 Reputation points

2024-11-26T09:27:59.34+00:00

@Deepanshukatara-6769 Thank you for your response. Other than NSG, there are no additional network access controls in place. In this case, I understand that allowing only the service tag would be sufficient. However, everything is functioning normally as long as we exclude the All Deny Rule without any authentication or other operations.

SadiqhAhmed-MSFT 47,496 Reputation points Microsoft Employee

2024-11-29T17:11:34.77+00:00

@Yu-Jeong Seo If you are using an "All Deny" rule, you must ensure that you allow rule for the Automation service tag (on port 443) is placed above the "All Deny" rule in the NSG rules list. This will allow the Hybrid Worker to communicate with Azure Automation without other outbound traffic being allowed.

By doing this, you should be able to restrict internet access while still enabling the Hybrid Worker to function normally, as long as it can access the necessary Azure Automation services.

Hope this clarifies!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configuring Azure Automation Hybrid Worker on an offline VM

0 additional answers

Your answer