Azure Arc enabled server abnormal network traffic

Question

Azure Arc enabled server abnormal network traffic

Kenneth Chan - Admin 0

We are observing abnormal outbound traffic generated by Azure Arc Guest Configuration processes on one of our AWS EC2 instances connected via Azure Arc.

From the AWS VPC flow log, it shows a high data volume from NAT Gateway correlates with outbound traffic from gc_service.exe. And the remote IPs involved are 20.209.70.33, 20.60.243.97, 20.209.70.97. From our endpoint monitoring, we figure out gc_service.exe is connected to those three IP.

From the Azure Arc service logs (gc_worker.log), the gc_service.exe and gc_extension_service.exe processes are repeatedly downloading data in short intervals, causing continuous high outbound traffic via our AWS NAT Gateway. This looped behavior results in unusually high "Bytes out to source" traffic in AWS monitoring. (Attached the gc_worker.log)

Please confirm if this is a known issue with the Azure Arc Guest Configuration service. And please advise on whether disabling or updating the Arc Guest Configuration extension will stop the high outbound traffic without affecting Defender’s core protection.

We would like to know what the usage for this Arc service is, as we have the AWS control tower, if Arc service is for compliance report only, we may consider turning it off directly

Kenneth Chan - Admin 0 Reputation points

2025-08-11T15:52:13.1166667+00:00

gc_worker.log
Kenneth Chan - Admin 0 Reputation points

2025-08-11T17:14:37.6933333+00:00

Hi Rahul,

Thanks so much for your detailed explanation
I would like to further ask something about the gc extension

From the impacted server, the extension status is not normal

It show updating and creating

May i know how to fix this?

And if i want to disable the gc extension directly
Do i need to use powershell manually? Or i can do it directly on the console side?

Thanks
Kenneth
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-11T17:42:26.5233333+00:00
Hello Kenneth Chan - Admin

Try the Azure Portal First

Go to the Arc-connected server’s “Extensions + applications” blade in the Azure Portal.

For each extension stuck in “Updating” or “Creating,” try: Uninstall.

If “Uninstall” fails, proceed to PowerShell.

Use PowerShell on the Server

Open an elevated PowerShell prompt on the server.

List all extensions:

azcmagent extension list

Remove the stuck extension:

azcmagent extension remove --name "WindowsAgent.SqlServer" azcmagent extension remove --name "MDE.Windows"

Restart the Arc agent:

Restart-Service -Name "AzureConnectedMachineAgent" -Force

Reference Link

https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions

https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Vinod Pittala 6,415 Reputation points Microsoft External Staff Moderator

2025-08-12T10:18:04.7366667+00:00

Hello Kenneth Chan - Admin

We haven't heard back from you regarding the advice Rahul Jorrigala provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
Kenneth Chan - Admin 0 Reputation points

2025-08-12T15:28:23.54+00:00
Hi Vinod and Rahul,

Thanks for the information. I am currently updating the Arc agent to the latest version and will verify the traffic afterward.

At the same time, I have a few more questions about the extensions.

Could you please clarify the purpose of the MDE.Windows extension?

I also noticed the WindowsAgent.SqlServer extension. In the Arc machine console, there is a SQL Server configuration section that includes some licensing settings. Will removing the machine from Azure Arc cause any issues related to these SQL Server configurations or licenses?

Thanks,

Kenneth
Kenneth Chan - Admin 0 Reputation points

2025-08-12T17:53:55.02+00:00

Hi Rahul,

I am still confusing about the MDE extension, normally whenever we deploy a new server, we get to the security.microsoft.com, downloading the onboarding package inside the security defender

And we will add the tag MDE-Management, so that it will appear the server object to the intune system

For the MDE extension inside the Azure Arc, is it only needed for the defender for cloud inside the azure portal? what is the difference? are they having different functionality as the security.microsoft.com?

Thanks again for your great help

Best Regards
Kenneth
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-12T18:37:05.8233333+00:00
Hello Kenneth Chan - Admin

Manual Onboarding via security.microsoft.com

This method involves downloading the onboarding package from the Microsoft Defender portal (security.microsoft.com) and installing it manually on each server.

You typically use this for:

Non-Azure servers

Intune integration (e.g., tagging with MDE-Management to show up in Intune)

This method gives you direct control over onboarding but requires manual effort or scripting.

MDE.Windows Extension via Azure Arc

This extension is deployed automatically or manually to Arc-enabled servers.

It is primarily used when integrating with Microsoft Defender for Cloud.

When you enable Defender for Servers Plan 1 or Plan 2, the extension is auto-provisioned to onboard the server to Microsoft Defender for Endpoint (MDE)

It simplifies onboarding for hybrid environments and ensures the server is visible in both Defender for Cloud and Microsoft 365 Defender.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-13T17:08:45.0666667+00:00

Hello Kenneth Chan - Admin

Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
Naveena Patlolla 9,665 Reputation points Microsoft External Staff Moderator

2025-08-14T01:32:42.95+00:00

Hello Kenneth Chan - Admin
Just wanted to check if the above comment resolved your issue. If not, please let us know — we’re always here to help whenever you need us.

If you found the comment helpful, kindly click "Upvote".

2 answers

Your answer

Kenneth Chan - Admin 0 Reputation points

2025-08-11T15:52:13.1166667+00:00

gc_worker.log
Kenneth Chan - Admin 0 Reputation points

2025-08-11T17:14:37.6933333+00:00

Hi Rahul,

Thanks so much for your detailed explanation
I would like to further ask something about the gc extension

From the impacted server, the extension status is not normal

It show updating and creating

May i know how to fix this?

And if i want to disable the gc extension directly
Do i need to use powershell manually? Or i can do it directly on the console side?

Thanks
Kenneth
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-11T17:42:26.5233333+00:00

Hello Kenneth Chan - Admin

Try the Azure Portal First

Go to the Arc-connected server’s “Extensions + applications” blade in the Azure Portal.

For each extension stuck in “Updating” or “Creating,” try: Uninstall.

If “Uninstall” fails, proceed to PowerShell.

Use PowerShell on the Server

Open an elevated PowerShell prompt on the server.

List all extensions:

azcmagent extension list

Remove the stuck extension:

azcmagent extension remove --name "WindowsAgent.SqlServer" azcmagent extension remove --name "MDE.Windows"

Restart the Arc agent:

Restart-Service -Name "AzureConnectedMachineAgent" -Force

Reference Link

https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions

https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Vinod Pittala 6,415 Reputation points Microsoft External Staff Moderator

2025-08-12T10:18:04.7366667+00:00

Hello Kenneth Chan - Admin

We haven't heard back from you regarding the advice Rahul Jorrigala provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
Kenneth Chan - Admin 0 Reputation points

2025-08-12T15:28:23.54+00:00

Hi Vinod and Rahul,

Thanks for the information. I am currently updating the Arc agent to the latest version and will verify the traffic afterward.

At the same time, I have a few more questions about the extensions.

Could you please clarify the purpose of the MDE.Windows extension?

I also noticed the WindowsAgent.SqlServer extension. In the Arc machine console, there is a SQL Server configuration section that includes some licensing settings. Will removing the machine from Azure Arc cause any issues related to these SQL Server configurations or licenses?

Thanks,

Kenneth
Kenneth Chan - Admin 0 Reputation points

2025-08-12T17:53:55.02+00:00

Hi Rahul,

I am still confusing about the MDE extension, normally whenever we deploy a new server, we get to the security.microsoft.com, downloading the onboarding package inside the security defender

And we will add the tag MDE-Management, so that it will appear the server object to the intune system

For the MDE extension inside the Azure Arc, is it only needed for the defender for cloud inside the azure portal? what is the difference? are they having different functionality as the security.microsoft.com?

Thanks again for your great help

Best Regards
Kenneth
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-12T18:37:05.8233333+00:00

Hello Kenneth Chan - Admin

Manual Onboarding via security.microsoft.com

This method involves downloading the onboarding package from the Microsoft Defender portal (security.microsoft.com) and installing it manually on each server.

You typically use this for:

Non-Azure servers

Intune integration (e.g., tagging with MDE-Management to show up in Intune)

This method gives you direct control over onboarding but requires manual effort or scripting.

MDE.Windows Extension via Azure Arc

This extension is deployed automatically or manually to Arc-enabled servers.

It is primarily used when integrating with Microsoft Defender for Cloud.

When you enable Defender for Servers Plan 1 or Plan 2, the extension is auto-provisioned to onboard the server to Microsoft Defender for Endpoint (MDE)

It simplifies onboarding for hybrid environments and ensures the server is visible in both Defender for Cloud and Microsoft 365 Defender.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Rahul Jorrigala 4,410 Reputation points Microsoft External Staff Moderator

2025-08-13T17:08:45.0666667+00:00

Hello Kenneth Chan - Admin

Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
Naveena Patlolla 9,665 Reputation points Microsoft External Staff Moderator

2025-08-14T01:32:42.95+00:00

Hello Kenneth Chan - Admin
Just wanted to check if the above comment resolved your issue. If not, please let us know — we’re always here to help whenever you need us.

If you found the comment helpful, kindly click "Upvote".

Answer 1

Hello Kenneth Chan - Admin

MDE.Windows Extension (Microsoft Defender for Endpoint)

The MDE.Windows extension is used to onboard non-Azure machines (via Azure Arc) into Microsoft Defender for Endpoint (MDE). This enables advanced threat protection, endpoint detection and response (EDR), and integration with Microsoft Defender for Cloud .

Key Functions:

Installs the Defender for Endpoint agent.
Enables telemetry and threat detection on hybrid/on-prem machines.
Can be deployed manually or automatically via Defender for Servers.

Important Notes:

If this extension is not installed, the machine will not be onboarded to Defender for Endpoint.
Removing it will disable endpoint protection and stop telemetry from being sent to Microsoft Defender for Cloud.

WindowsAgent.SqlServer Extension (SQL Server on Azure Arc)

This extension enables SQL Server management and licensing for Arc-enabled machines. It allows SQL Server instances running on-premises or in other clouds to be treated as Azure resources.

Key Functions:

Enables Pay-As-You-Go (PAYG) or Azure Hybrid Benefit (AHB) licensing.
Supports features like:
- Automated backups
- Availability groups
- Best practices assessments
- Database migration
- Billing and compliance tracking

Licensing Impact:

If you remove the machine from Azure Arc, or uninstall the SQL Server extension, the following may occur:
- Licensing settings (PAYG/AHB) will be lost.
- Billing may stop, and you may revert to traditional licensing.
- Azure features like automated backups and assessments will be disabled.
- Telemetry and compliance tracking will cease.

Recommendation:

If you're using Azure Arc for SQL Server licensing, ensure you have a fallback licensing plan before removing the extension or disconnecting the machine.

https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-license-billing?view=sql-server-ver17

https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-configuration?view=sql-server-ver17

https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-windows-accounts-agent?view=sql-server-ver17

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"

Kenneth Chan - Admin 0 Reputation points

2025-08-14T15:07:45.5966667+00:00

Hi,

The issue has been resolved

We can go ahead and close this

Thanks so much

Best Regards
Kenneth
Vinod Pittala 6,415 Reputation points Microsoft External Staff Moderator

2025-08-14T15:57:38.5033333+00:00

Hello Kenneth Chan - Admin,

Thanks for your confirmation. I have converted the comment into Answer.

If the solution provided by Rahul was helpful, please consider clicking "Accept as Answer" and giving it an upvote. This not only shows appreciation but also helps others in the community find useful solutions more easily.

Thanks again!

Answer 2

Hello Kenneth Chan - Admin

The Azure Arc Guest Configuration (gc_service.exe and gc_extension_service.exe) causing excessive outbound traffic, especially when:

The assigned policy set is large (e.g., “AzureWindowsBaseline”).

The agent is unable to converge to a compliant state, resulting in repeated compliance checks and large report uploads.

The log shows repeated cycles of DSC “Get” operations and warnings about oversized compliance reports being trimmed and resent

Your log matches this pattern exactly: The Guest Configuration agent is stuck in a loop, generating and uploading large compliance reports every few minutes, which is the root cause of your high outbound traffic.

Disabling or Updating the Extension

Disabling the Guest Configuration extension will immediately stop this traffic. This extension is only required for Azure Policy compliance reporting and does not affect Microsoft Defender for Cloud’s core protection or threat detection.

Updating the extension

Microsoft has released fixes in recent versions of the Arc agent and Guest Configuration extension to address this looped behavior. If you need compliance reporting, update to the latest version.

No impact on Defender

Defender for Cloud uses its own agents (MMA/AMA) and does not depend on Guest Configuration for threat protection.

Usage of Azure Arc Guest Configuration

Purpose: Provides in-guest policy compliance and configuration auditing for hybrid servers (on-prem, AWS, GCP, etc.), reporting compliance status to Azure Policy.

If you only use AWS Control Tower for compliance and do not need Azure Policy reporting, you can safely disable the Guest Configuration extension.

Network Configuration

The log confirms that the agent is uploading compliance reports to Azure endpoints (e.g., https://canadacentral-gas.guestconfiguration.azure.com/...).

If you keep Guest Configuration enabled, ensure only the required endpoints are open and monitor for excessive traffic. If you disable it, this traffic will stop.

Recommendation

If you do not need Azure Policy compliance reporting on AWS EC2:

Disable the Azure Arc Guest Configuration extension on the affected instance(s).

If you need compliance reporting:

Update the Arc agent and Guest Configuration extension to the latest version to resolve the traffic loop.

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"

Share via

Azure Arc enabled server abnormal network traffic

2 answers

Your answer