Can we onboard the vm instances from Azure local to Azure arc using Arc private link scope?

Question

Can we onboard the vm instances from Azure local to Azure arc using Arc private link scope?

Ajit Sane 0

We want to establish private connection between Azure local VM instances (vm instances on the Azure local cluster nodes) to Azure Arc services. So, we want to onboard these VMs to Arc using Arc private link scope. Please let me know

Will this scenario work?
Can Azure local support private link scope?
If no, please explain me why?

2 answers

Your answer

Answer 1

Jilakara Hemalatha 10,200 Microsoft External Staff Moderator

Hello Ajit,

Thank you for reaching out Q/A.

Yes. Azure Arc Private Link can be used to onboard VM instances running on Azure Local to Azure Arc, but with important design and support considerations.

Azure Local itself doesn’t “support Private Link” as a platform feature, but Azure Local VMs can consume Azure Arc Private Link when networking and DNS are designed correctly.

The Azure Local network is connected to an Azure Virtual Network using Site-to-Site VPN or ExpressRoute (or has controlled outbound HTTPS access).
A Private Endpoint is deployed in that Azure VNet and associated with the Arc Private Link Scope.
DNS is configured so the Arc endpoints resolve to the private IP address of the Private Endpoint.

Reference:

Use Azure Private Link to securely connect servers to Azure Arc

Create an Azure Arc private link scope

Hope this helps! Please let me know if you have any queries in comments.

Ajit Sane 0 Reputation points

2026-02-20T05:39:22.8633333+00:00

But the Microsoft document in this attached link says

"Azure Arc Private Link Scopes are not supported by Azure Local. Arc endpoints (.his.arc.azure.com,.guestconfiguration.azure.com and *.dp.kubernetesconfiguration.azure.com) must always resolve to public IPs from Azure Local nodes".

https://learn.microsoft.com/en-us/azure/azure-local/concepts/firewall-requirements?view=azloc-2602

What is your view on this?

If suppose it supports, For testing I am using Azure localBox, so, can I test onboarding the VMs from Azure localBox nodes to Azure Arc using private link scope?

Because, When we we create vm in Azure localBox cluster, VMs are automatically Arc onboarded. Please suggest a proper method to test it in the Azure localBox.
Ankit Yadav 12,200 Reputation points Microsoft External Staff Moderator

2026-02-23T05:58:21.3833333+00:00

Thank you for your follow-up query. We are reviewing your request and will get back to you with an answer soon.
Jilakara Hemalatha 10,200 Reputation points Microsoft External Staff Moderator

2026-02-24T17:41:18.93+00:00
Hello Ajit,

Thank you for your patience while we engaged the Azure Local Product Group on this topic. I wanted to provide an update and clarify the current supportability of Azure Arc Private Link Scopes with Azure Local.

Azure Local infrastructure (nodes and Arc Resource Bridge VM)

Currently, Azure Arc Private Link Scopes are not supported for Azure Local infrastructure, including the cluster nodes and the Arc Resource Bridge (ARB) VM.

This is by design, as Azure Local uses platform-managed Azure Arc integration, where required Arc service endpoints must resolve to public IP addresses.

Work is ongoing to address this limitation; however, there is no immediate or committed timeline for when Azure Arc Private Link Scope support will become available for Azure Local infrastructure.

Alternative private connectivity options: Azure Local can still access other Azure PaaS Private Endpoints (such as Azure Key Vault, Azure Container Registry, Azure Storage, and Azure Site Recovery), provided that:

ExpressRoute (ER) or Site-to-Site (S2S) VPN connectivity is in place

DNS resolution and routing are correctly configured

Appropriate consideration is given to whether an Arc Gateway or proxy is required based on the specific deployment scenario

Workloads running in their own LNET

Support for Azure Arc Private Link onboarding for Azure Local workload VMs in separate LNETs is not available yet.

When this capability becomes available in the future, the following constraints will apply:

The DNS server used for the workload LNET must be separate from the Azure Local infrastructure DNS, as the Arc Resource Bridge does not support Azure Arc Private Link

Workload VMs may still consume other Azure PaaS Private Endpoints (Key Vault, Storage, ACR, etc.) provided DNS resolution and routing allow traffic to reach the Azure VNET via ER or S2S VPN
Jilakara Hemalatha 10,200 Reputation points Microsoft External Staff Moderator

2026-02-27T08:26:13.6566667+00:00

Hello Ajit

Just checking if above provided information was helpful! Please let me know if you have any queries.

Answer 2

Hi Ajit Sane,

yes, this scenario is supported, but with important conditions.

Azure Local VMs can be onboarded to Azure Arc using Arc Private Link Scope, but the support depends on how network connectivity is designed. Azure Local itself does not natively host Private Link. What matters is whether the VMs can resolve and reach the Arc private endpoints over private connectivity.

Arc Private Link Scope works by exposing private endpoints in a virtual network in Azure. Your Azure Local VMs must have line of sight to that VNet through VPN or ExpressRoute. They must also use DNS that resolves the Arc service FQDNs to the private endpoint IPs instead of public IPs.

So, Azure Local does not directly “support” Private Link as a feature, but Azure Local VMs can use Arc Private Link if networking and DNS are configured correctly.

Requirements is

Private endpoints for Arc services deployed in Azure.

Network connectivity from Azure Local to the Azure VNet (VPN/ER).

Proper DNS configuration so Arc endpoints resolve privately.

Outbound HTTPS allowed to those private IPs.

If Azure Local is isolated without connectivity to the Azure VNet hosting the private endpoints, then this will not work, because Private Link is not local to Azure Local clusters.

So the scenario works, but it is a networking and DNS design question, not a platform limitation of Azure Local itself.

rgds,

Alex

Ajit Sane 0 Reputation points

2026-02-20T05:44:47.0433333+00:00

But the Microsoft document in this attached link says

"Azure Arc Private Link Scopes are not supported by Azure Local. Arc endpoints (.his.arc.azure.com,.guestconfiguration.azure.com and *.dp.kubernetesconfiguration.azure.com) must always resolve to public IPs from Azure Local nodes".

https://learn.microsoft.com/en-us/azure/azure-local/concepts/firewall-requirements?view=azloc-2602

What is your view on this?

If suppose it supports, For testing I am using Azure localBox, so, can I test onboarding the VMs from Azure localBox nodes to Azure Arc using private link scope?

Because, When we we create vm in Azure localBox cluster, VMs are automatically Arc onboarded. Please suggest a proper method to test it in the Azure localBox.

Share via

Can we onboard the vm instances from Azure local to Azure arc using Arc private link scope?

2 answers

Your answer