Azure Arc network requirements
This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Azure Arc-enabled Kubernetes endpoints
Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:
- Azure Arc-enabled Kubernetes
- Azure Arc-enabled App services
- Azure Arc-enabled Machine Learning
- Azure Arc-enabled data services (direct connectivity mode only)
Important
Azure Arc agents require the following outbound URLs on https://:443
to function.
For *.servicebus.windows.net
, websockets need to be enabled for outbound access on firewall and proxy.
Endpoint (DNS) | Description |
---|---|
https://management.azure.com |
Required for the agent to connect to Azure and register the cluster. |
https://<region>.dp.kubernetesconfiguration.azure.com |
Data plane endpoint for the agent to push status and fetch configuration information. |
https://login.microsoftonline.com https://<region>.login.microsoft.com login.windows.net |
Required to fetch and update Azure Resource Manager tokens. |
https://mcr.microsoft.com https://*.data.mcr.microsoft.com |
Required to pull container images for Azure Arc agents. |
https://gbl.his.arc.azure.com |
Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
https://*.his.arc.azure.com |
Required to pull system-assigned Managed Identity certificates. |
https://k8connecthelm.azureedge.net |
az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
guestnotificationservice.azure.com *.guestnotificationservice.azure.com sts.windows.net https://k8sconnectcsp.azureedge.net |
For Cluster Connect and for Custom Location based scenarios. |
*.servicebus.windows.net |
For Cluster Connect and for Custom Location based scenarios. |
https://graph.microsoft.com/ |
Required when Azure RBAC is configured. |
*.arc.azure.net |
Required to manage connected clusters in Azure portal. |
https://<region>.obo.arc.azure.com:8084/ |
Required when Cluster Connect is configured. |
https://linuxgeneva-microsoft.azurecr.io |
Required if using Azure Arc-enabled Kubernetes extensions. |
To translate the *.servicebus.windows.net
wildcard into specific endpoints, use the command:
GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2
.
For example: *.<region>.arcdataservices.com
should be *.eastus2.arcdataservices.com
in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
For more information, see Azure Arc-enabled Kubernetes network requirements.
Azure Arc-enabled data services
This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.
Service | Port | URL | Direction | Notes |
---|---|---|---|---|
Helm chart (direct connected mode only) | 443 | arcdataservicesrow1.azurecr.io |
Outbound | Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry. |
Azure monitor APIs 1 | 443 | *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.monitoring.azure.com |
Outbound | Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See Azure Monitor APIs. |
Azure Arc data processing service 1 | 443 | *.<region>.arcdataservices.com 2 |
Outbound |
1 Requirement depends on deployment mode:
- For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service.
- For indirect mode, the machine that runs
az arcdata dc upload
needs to have the outbound connectivity to Azure Monitor and Data Processing Service.
2 For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net
.
Azure Monitor APIs
Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.
For more information, see Connectivity modes and requirements.
Azure Arc-enabled servers
Connectivity to Arc-enabled server endpoints is required for:
SQL Server enabled by Azure Arc
Azure Arc-enabled VMware vSphere *
Azure Arc-enabled System Center Virtual Machine Manager *
Azure Arc-enabled Azure Stack (HCI) *
*Only required for guest management enabled.
Azure Arc-enabled server endpoints are required for all server based Arc offerings.
Networking configuration
The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .
Note
Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.
If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.
Service tags
Be sure to allow access to the following Service Tags:
- AzureActiveDirectory
- AzureTrafficManager
- AzureResourceManager
- AzureArcInfrastructure
- Storage
- WindowsAdminCenter (if using Windows Admin Center to manage Arc-enabled servers)
For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
If you filter traffic to the AzureArcInfrastructure service tag, you must allow traffic to the full service tag range. The ranges advertised for individual regions, for example AzureArcInfrastructure.AustraliaEast, do not include the IP ranges used by global components of the service. The specific IP address resolved for these endpoints may change over time within the documented ranges, so just using a lookup tool to identify the current IP address for a given endpoint and allowing access to that will not be sufficient to ensure reliable access.
For more information, see Virtual network service tags.
URLs
The table below lists the URLs that must be available in order to install and use the Connected Machine agent.
Note
When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Private link capable column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function. Network traffic is routed through private endpoint if a private link scope is assigned.
Agent resource | Description | When required | Private link capable |
---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
packages.microsoft.com |
Used to download the Linux installation package | At installation time, only | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
*login.microsoft.com |
Microsoft Entra ID | Always | Public |
pas.windows.net |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
guestnotificationservice.azure.com , *.guestnotificationservice.azure.com |
Notification service for extension and connectivity scenarios | Always | Public |
azgn*.servicebus.windows.net |
Notification service for extension and connectivity scenarios | Always | Public |
*.servicebus.windows.net |
For Windows Admin Center and SSH scenarios | If using SSH or Windows Admin Center from Azure | Public |
*.waconazure.com |
For Windows Admin Center connectivity | If using Windows Admin Center | Public |
*.blob.core.windows.net |
Download source for Azure Arc-enabled servers extensions | Always, except when using private endpoints | Not used when private link is configured |
dc.services.visualstudio.com |
Agent telemetry | Optional, not used in agent versions 1.24+ | Public |
*.<region>.arcdataservices.com 1 |
For Arc SQL Server. Sends data processing service, service telemetry, and performance monitoring to Azure. Allows TLS 1.3. | Always | Public |
www.microsoft.com/pkiops/certs |
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) | If using ESUs enabled by Azure Arc. Required always for automatic updates, or temporarily if downloading certificates manually. | Public |
1 For details about what information is collected and sent, review Data collection and reporting for SQL Server enabled by Azure Arc.
For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net
. Beginning with March 12, 2024 both Azure Arc data processing, and Azure Arc data telemetry use *.<region>.arcdataservices.com
.
Note
To translate the *.servicebus.windows.net
wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
. Within this command, the region must be specified for the <region>
placeholder. These endpoints may change periodically.
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2
.
For example: *.<region>.arcdataservices.com
should be *.eastus2.arcdataservices.com
in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
Transport Layer Security 1.2 protocol
To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.
Platform/Language | Support | More Information |
---|---|---|
Linux | Linux distributions tend to rely on OpenSSL for TLS 1.2 support. | Check the OpenSSL Changelog to confirm your version of OpenSSL is supported. |
Windows Server 2012 R2 and higher | Supported, and enabled by default. | To confirm that you are still using the default settings. |
Subset of endpoints for ESU only
If you're using Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:
- Windows Server 2012
- SQL Server 2012
You can enable the following subset of endpoints:
Agent resource | Description | When required | Endpoint used with private link |
---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
login.windows.net |
Microsoft Entra ID | Always | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
*login.microsoft.com |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
www.microsoft.com/pkiops/certs |
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) | Always for automatic updates, or temporarily if downloading certificates manually. | Public |
*.<region>.arcdataservices.com |
Azure Arc data processing service and service telemetry. | SQL Server ESUs | Public |
*.blob.core.windows.net |
Download Sql Server Extension package | SQL Server ESUs | Not required if using Private Link |
For more information, see Connected Machine agent network requirements.
Azure Arc resource bridge
This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere and Azure Arc-enabled System Center Virtual Machine Manager.
Outbound connectivity requirements
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
Service | Port | URL | Direction | Notes |
---|---|---|---|---|
SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Discover container images for Arc Resource Bridge. |
Microsoft Container Registry | 443 | *.data.mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
Python package | 443 | pypi.org , *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
Azure CLI | 443 | pythonhosted.org , *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
Inbound connectivity requirements
Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.
Service | Port | IP/machine | Direction | Notes |
---|---|---|---|---|
SSH | 22 | appliance VM IPs and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
Kubernetes API server | 6443 | appliance VM IPs and Management machine |
Bidirectional | Management of the appliance VM. |
SSH | 22 | control plane IP and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
Kubernetes API server | 6443 | control plane IP and Management machine |
Bidirectional | Management of the appliance VM. |
HTTPS | 443 | private cloud control plane address and Management machine |
Management machine needs outbound connection. | Communication with control plane (ex: VMware vCenter address). |
For more information, see Azure Arc resource bridge network requirements.
Azure Arc-enabled VMware vSphere
Azure Arc-enabled VMware vSphere also requires:
Service | Port | URL | Direction | Notes |
---|---|---|---|---|
vCenter Server | 443 | URL of the vCenter server | Appliance VM IP and control plane endpoint need outbound connection. | Used to by the vCenter server to communicate with the Appliance VM and the control plane. |
VMware Cluster Extension | 443 | azureprivatecloud.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images for Microsoft.VMWare and Microsoft.AVS Cluster Extension. |
Azure CLI and Azure CLI Extensions | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and Azure CLI extensions. |
Azure Resource Manager | 443 | management.azure.com |
Management machine needs outbound connection. | Required to create/update resources in Azure using ARM. |
Helm Chart for Azure Arc Agents | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Data plane endpoint for downloading the configuration information of Arc agents. |
Azure CLI | 443 | - login.microsoftonline.com - aka.ms |
Management machine needs outbound connection. | Required to fetch and update Azure Resource Manager tokens. |
For more information, see Support matrix for Azure Arc-enabled VMware vSphere.
Azure Arc-enabled System Center Virtual Machine Manager
Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:
Service | Port | URL | Direction | Notes |
---|---|---|---|---|
SCVMM management Server | 443 | URL of the SCVMM management server | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
For more information, see Overview of Arc-enabled System Center Virtual Machine Manager.
Additional endpoints
Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints: