How to setup up the Hybrid Worker Group in Azure Automation and run Hybrid Runbooks against On Premise Resources

Recently I was working in one of the Automation project where I had to run some Azure Runbooks in the on premise servers. Due to the security restrictions I was unable run those runbooks directly from the Azure automation account so I need to setup the Hybrid Worker Group in our environment. Today I will show you how to setup the Hybrid Worker Group.

What is Azure Automation?

Azure Automation is a software as a service (SaaS) application that provides a scalable and reliable, multi-tenant environment to automate processes with runbooks and manage configuration changes to Windows and Linux system.

What is a Hybrid Worker Group Feature?

Hybrid Worker Group Feature is a feature of Azure Automation account which is nothing but a software component which can be installed in any on premise system which allows us to run the runbooks in the on premise server. This is needed when our run books don’t work from Azure Automation Account due security restrictions and it solve the purpose of running the run books against local resources.

When you need to setup a Hybrid Worker Group?

It’s necessary when you have local resources which can’t be reached from Azure Automation Account directly through internet due to security and firewall restrictions. A common example is your on premise Exchange Servers or Skype for Business Servers. This type of very critical servers were generally present in the most secure network tier of any organization and can’t be reached directly from Azure Automation Account.

Architecture Diagram of Azure Automation.

Fig: Azure Automation Architecture

Note: Firewall requirement: Port 443 needed to be allowed outbound from the on premise server to internet.

I will explain here how I have setup the Hybrid Worker Group in our environment.

First I need to select a VM in on premise environment where I wanted to install the Hybrid Worker Group features. In another word this computer will be the computer from where I can able to run all my automation runbooks which can be scheduled or triggered from Azure.

Once I have identified the computer, I have RDP to it. The next step is to download a pre build PowerShell script to automatically setup the Hybrid worker group from the PowerShell gallery website.

To download that PowerShell script please click here.

Once I have downloaded the script I went to the E drive of the computer where I have stored the script whose name is New-OnPremiseHybridworker.ps1 and ran it as you can see below. Please note that this script will prompt you to enter the Azure Resource Group name, Subscription ID, Automation Account Name and HybridGroupName while executing and I need to provide all of them one by one.

The script will take care of all the things you need to sit back and relax.

It will also create a new hybridomsworkspace as you can see below.
The Automation solution adds functionality for Azure Automation including support for Hybrid Runbook Worker. When we add the solution to our workspace, it automatically pushes down worker components to the agent computer that it will install in the next step

After that the script will automatically register the Microsoft monitoring agent which is installed in this computer. The Microsoft Monitoring Agent connects computers to Operations Management Suite. When we install the agent on our on-premises computer and connect it to our workspace, it will automatically download the components required for Hybrid Runbook Worker

Once it’s installed I went to my Azure portal to check the status. I can see below.

If I went to my Automation account I can see the following screen under the Hybrid worker groups tab

So the Hybrid Worker Group has been setup and now I can easily run my runbooks against the on premise resources. Also please note that currently we cannot have a HWG registered with multiple Automation accounts.

Test the Hybrid Worker Group which has been just created

To test this first I need to go to my runbooks tab where I need to choose a runbook as you can see below.

I have chosen to run the script GetMailBoxProd, I have clicked on the start button

In the next screen it will ask me where to run the runbook, in Azure or in my HWG on-premise system, by default it’s showing Azure

I have decided to choose to run it on HWG and immediately there prompt a drop down list where I need to select the HWG which I have just created.

In the next screen you can see the job is currently running.

Once I click on Output I can see the following screen.

So script has ran and it has given the desired result. Like this I can run any type of script from Azure Automation Account to the on premise servers. Please note that you may need to install the Skype for business management shell and exchange management shell in the on premise computers to run the scripts.

That’s all for today. I will show you one limitation of the Azure Automation on my next post on Azure Automation. Stay tuned till then.