Azure Hybrid Runbook Workers enable Azure Automation Runbooks to run in a local context (OS/Server level). The Hybrid Runbook Worker’s functionality is achieved through a combination of Azure Log Analytics, Microsoft Monitoring Agent, and Azure Automation Runbooks.
Why Are Hybrid Runbook Workers Awesome?
Central Management of Scripts – store all automation scripts needed across the environment, in one location.
Hybrid Architecture – Hybrid Runbook Workers are achieved with a mix of serverless / server architectures.
OS Agnostic – works on Windows or Linux with Python / PowerShell Runbooks.
Runbook Execution – execute local scripts via Runbook Schedules, Webhooks, or Logic Apps.
Scalable – a Hybrid Worker Group can contain one or more VM, and an Automation Account can contain one or more Worker Group.
Cost Effective – smaller VM sizes can be utilized to keep costs low, I generally use a Standard_DS2_v2. Depending on your needs, the VM can be auto-shutdown to around scheduled Runbook tasks.
Watcher Tasks – create custom scripts to monitor services, files, tasks, etc.
Now we’ll put this to the test. For the test scenario, we’ll configure the Hybrid Worker to restart a Windows service, Print Spooler.
Create a Virtual Machine
First we’ll need to create a Virtual Machine to be configured as our Hybrid Runbook Worker. My personal recommendation is to use a dedicated Windows / Linux VM to run the Hybrid Worker. For this test I created a “Standard_B1s” VM.
Configure Log Analytics OMS Workspace
If you don’t have an existing Log Analytics OMS Workspace, we’ll need to start by creating one.
Navigate to “Log Analytics” in the Azure portal and add a new Workspace.
We need to add the “Automation and Control” solution to our OMS Workspace. Navigate to the OMS Portal and open the Solutions Gallery.
Within the OMS Solutions Gallery, select “Automation & Control”.
The solution will provide a warning that the Workspace needs to be configured.
Specify the Azure Automation Account you will be using to run your Hybrid Worker. If you don’t already have an Automation Account, you can create a new one from here.
Configure the Hybrid Runbook Worker Server
Login to your server and open up PowerShell as administrator.
Run the following install script to add the New-OnPremiseHybridWorker script.
Note if you are not using Windows Server 2016, you may need to install Windows Management Framework 5.0 to utilize necessary PowerShell scripts.
Install-Script -Name New-OnPremiseHybridWorker -RequiredVersion 1.0
Next, run the script you just installed and reference the Workspace you created earlier. You’ll be asked for a few additional parameters, which are referenced below.
New-OnPremiseHybridWorker.ps1 -WorkspaceName <NameOfOMSWorkspace>
The script will ask you to input the additional parameters needed:
And that’s that, the server configuration is complete!
Create the Runbook
Create a new Runbook within your Azure Automation Account.
Now we’ll add our PowerShell script that will run locally (i.e. not AzureRM modules).
Note: if using non-standard modules, the modules must be installed on the Hybrid Worker VM before executing.
Test the Solution
Stop Print Spooler on the Virtual Machine.
Start your Runbook and specify that it will be run on the Hybrid Worker.
After the Runbook task has completed, Print Spooler is running on the server.
Azure Automation Watcher Tasks
Now we’ll use Azure Automation Watcher Tasks to monitor the Spooler service and automatically execute the “Restart-Service” script if the service is not in a “running” state.
Add a Watcher and Action Runbook
Start by adding the following Runbooks to your Automation Account:
For this section, the scripts provided are meant to be more robust and account for the ability to run scripts against other servers in the environment. However, to fully utilize the script, we’ll need credentials with the ability to open a remote PowerShell session.
Here are some other great Watcher examples provided by Microsoft to watch a folder for new files:
Add the Local VM Credentials to Azure Automation
Navigate to the “Shared Resources” section of the Automation Account and add a new credential. For testing purposes, I’m just adding the local admin account.
Configure the Watcher Task
Navigate to the “Watcher tasks” section within your Automation Account, and click “Add a watcher task”.
Specify a name for the task and the frequency to run (1-59 in minutes). Then select the “Watch-Service” Runbook as the “Watcher” and input the service name parameter (in this case, “Spooler”) and computer name parameter (in this case, “localhost”).
For the “Action”, select the “Process-Service” Runbook, the parameter should be left blank as the value will be passed from the Watcher task.
Once again, we manually stop the Spooler service and wait for our watcher task to execute.