From vCenter to Azure Arc: Bridging Two Worlds

On-prem estates aren’t going anywhere. I say that as someone who spent the first part of my career inside VMware clusters, and who still sees racks humming away in every serious engagement I take on. The interesting question isn’t whether private infrastructure survives — it’s how you make it feel like part of the same world as your cloud.

That’s the promise of Azure Arc: project your on-prem servers, Kubernetes clusters and even data services into Azure’s control plane, so they show up next to your native resources.

What Arc actually gives you

Once a machine is Arc-enabled, it becomes a first-class Azure resource. In practice that unlocks three things I care about:

• Policy everywhere — the same Azure Policy initiatives that govern your subscriptions now evaluate your on-prem fleet.
• One inventory — Resource Graph queries return on-prem and cloud together.
• Extensions — Monitor, Defender and the Log Analytics agent deploy the same way they do in Azure.

azcmagent connect \
  --resource-group "rg-hybrid-prod" \
  --tenant-id "$TENANT" \
  --location "uksouth" \
  --subscription-id "$SUB"

The gotchas nobody warns you about

Arc is not a migration tool. It’s a management plane. Treat it like one.

The first trap is identity sprawl — every Arc machine gets a system-assigned managed identity, and if you don’t plan RBAC up front you end up with hundreds of principals nobody owns. The second is network egress: the agent needs outbound HTTPS to a specific set of endpoints, and security teams will (rightly) ask you to enumerate every one.

Get those two right and the rest is genuinely smooth. Arc is the closest thing I’ve found to making “hybrid” feel like a single estate rather than two teams shouting across a firewall.