Azure Arc-enabled Kubernetes network requirements

This topic describes the networking requirements for connecting a Kubernetes cluster to Azure Arc and supporting various Arc-enabled Kubernetes scenarios.

Details

Generally, connectivity requirements include these principles:

• All connections are TCP unless otherwise specified.
• All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
• All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.

Azure Cloud

Important

Azure Arc agents require the following outbound URLs on https://:443 to function. For *.servicebus.windows.net, websockets need to be enabled for outbound access on firewall and proxy.

Endpoint (DNS)	Description
https://management.azure.com	Required for the agent to connect to Azure and register the cluster.
https://<region>.dp.kubernetesconfiguration.azure.com	Data plane endpoint for the agent to push status and fetch configuration information.
https://login.microsoftonline.com https://<region>.login.microsoft.com login.windows.net	Required to fetch and update Azure Resource Manager tokens.
https://mcr.microsoft.com https://*.data.mcr.microsoft.com	Required to pull container images for Azure Arc agents.
https://gbl.his.arc.azure.com	Required to get the regional endpoint for pulling system-assigned Managed Identity certificates.
https://*.his.arc.azure.com	Required to pull system-assigned Managed Identity certificates.
https://k8connecthelm.azureedge.net	az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart.
guestnotificationservice.azure.com *.guestnotificationservice.azure.com sts.windows.net https://k8sconnectcsp.azureedge.net	For Cluster Connect and for Custom Location based scenarios.
*.servicebus.windows.net	For Cluster Connect and for Custom Location based scenarios.
https://graph.microsoft.com/	Required when Azure RBAC is configured.
*.arc.azure.net	Required to manage connected clusters in Azure portal.
https://<region>.obo.arc.azure.com:8084/	Required when Cluster Connect is configured.
https://linuxgeneva-microsoft.azurecr.io	Required if using Azure Arc-enabled Kubernetes extensions.

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command:

GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table

Get-AzLocation | Format-Table

Azure Government

Important

Azure Arc agents require the following outbound URLs on https://:443 to function. For *.servicebus.usgovcloudapi.net, websockets need to be enabled for outbound access on firewall and proxy.

Endpoint (DNS)	Description
https://management.usgovcloudapi.net	Required for the agent to connect to Azure and register the cluster.
https://<region>.dp.kubernetesconfiguration.azure.us	Data plane endpoint for the agent to push status and fetch configuration information.
https://login.microsoftonline.us <region>.login.microsoftonline.us	Required to fetch and update Azure Resource Manager tokens.
https://mcr.microsoft.com https://*.data.mcr.microsoft.com	Required to pull container images for Azure Arc agents.
https://gbl.his.arc.azure.us	Required to get the regional endpoint for pulling system-assigned Managed Identity certificates.
https://usgv.his.arc.azure.us	Required to pull system-assigned Managed Identity certificates.
https://k8connecthelm.azureedge.net	az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart.
guestnotificationservice.azure.us *.guestnotificationservice.azure.us sts.windows.net https://k8sconnectcsp.azureedge.net	For Cluster Connect and for Custom Location based scenarios.
*.servicebus.usgovcloudapi.net	For Cluster Connect and for Custom Location based scenarios.
https://graph.microsoft.com/	Required when Azure RBAC is configured.
https://usgovvirginia.obo.arc.azure.us:8084/	Required when Cluster Connect is configured.

To translate the *.servicebus.usgovcloudapi.net wildcard into specific endpoints, use the command:

GET https://guestnotificationservice.azure.us/urls/allowlist?api-version=2020-01-01&location=region

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table

Get-AzLocation | Format-Table

Microsoft Azure operated by 21Vianet

Important

Azure Arc agents require the following outbound URLs on https://:443 to function. For *.servicebus.chinacloudapi.cn, websockets need to be enabled for outbound access on firewall and proxy.

Endpoint (DNS)	Description
https://management.chinacloudapi.cn	Required for the agent to connect to Azure and register the cluster.
https://<region>.dp.kubernetesconfiguration.azure.cn	Data plane endpoint for the agent to push status and fetch configuration information.
https://login.chinacloudapi.cn https://<region>.login.chinacloudapi.cn login.partner.microsoftonline.cn	Required to fetch and update Azure Resource Manager tokens.
mcr.azk8s.cn	Required to pull container images for Azure Arc agents.
https://gbl.his.arc.azure.cn	Required to get the regional endpoint for pulling system-assigned Managed Identity certificates.
https://*.his.arc.azure.cn	Required to pull system-assigned Managed Identity certificates.
https://k8connecthelm.azureedge.net	az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart.
guestnotificationservice.azure.cn *.guestnotificationservice.azure.cn sts.chinacloudapi.cn https://k8sconnectcsp.azureedge.net	For Cluster Connect and for Custom Location based scenarios.
*.servicebus.chinacloudapi.cn	For Cluster Connect and for Custom Location based scenarios.
https://graph.chinacloudapi.cn/	Required when Azure RBAC is configured.
*.arc.azure.cn	Required to manage connected clusters in Azure portal.
https://<region>.obo.arc.azure.cn:8084/	Required when Cluster Connect is configured.
quay.azk8s.cn registryk8s.azk8s.cn k8sgcr.azk8s.cn usgcr.azk8s.cn dockerhub.azk8s.cn/<repo-name>/<image-name>:<version>	Container registry proxy servers for Azure China VMs.

Additional endpoints

Depending on your scenario, you may need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:

• Azure portal URLs
• Azure CLI endpoints for proxy bypass

For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements.

Next steps

• Understand system requirements for Arc-enabled Kubernetes.
• Use our quickstart to connect your cluster.
• Review frequently asked questions about Arc-enabled Kubernetes.