Azure Arc network requirements
This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Azure Arc-enabled Kubernetes endpoints
Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:
- Azure Arc-enabled Kubernetes
- Azure Arc-enabled App services
- Azure Arc-enabled Machine Learning
- Azure Arc-enabled data services (direct connectivity mode only)
Important
Azure Arc agents require the following outbound URLs on https://:443 to function.
For *.servicebus.windows.net, websockets need to be enabled for outbound access on firewall and proxy.
| Endpoint (DNS) | Description |
|---|---|
https://management.azure.com |
Required for the agent to connect to Azure and register the cluster. |
https://<region>.dp.kubernetesconfiguration.azure.com |
Data plane endpoint for the agent to push status and fetch configuration information. |
https://login.microsoftonline.comhttps://<region>.login.microsoft.comlogin.windows.net |
Required to fetch and update Azure Resource Manager tokens. |
https://mcr.microsoft.comhttps://*.data.mcr.microsoft.com |
Required to pull container images for Azure Arc agents. |
https://gbl.his.arc.azure.com |
Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
https://*.his.arc.azure.com |
Required to pull system-assigned Managed Identity certificates. |
https://k8connecthelm.azureedge.net |
az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
guestnotificationservice.azure.com*.guestnotificationservice.azure.comsts.windows.nethttps://k8sconnectcsp.azureedge.net |
For Cluster Connect and for Custom Location based scenarios. |
*.servicebus.windows.net |
For Cluster Connect and for Custom Location based scenarios. |
https://graph.microsoft.com/ |
Required when Azure RBAC is configured. |
*.arc.azure.net |
Required to manage connected clusters in Azure portal. |
https://<region>.obo.arc.azure.com:8084/ |
Required when Cluster Connect is configured. |
dl.k8s.io |
Required when automatic agent upgrade is enabled. |
To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command:
GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.
For example: san-af-<region>-prod.azurewebsites.net should be san-af-eastus2-prod.azurewebsites.net in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
For more information, see Azure Arc-enabled Kubernetes network requirements.
Azure Arc-enabled data services
This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| Helm chart (direct connected mode only) | 443 | arcdataservicesrow1.azurecr.io |
Outbound | Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry. |
| Azure monitor APIs * | 443 | *.ods.opinsights.azure.com*.oms.opinsights.azure.com*.monitoring.azure.com |
Outbound | Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See Azure Monitor APIs. |
| Azure Arc data processing service * | 443 | san-af-<region>-prod.azurewebsites.net |
Outbound |
* Requirement depends on deployment mode:
- For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service.
- For indirect mode, the machine that runs
az arcdata dc uploadneeds to have the outbound connectivity to Azure Monitor and Data Processing Service.
Azure Monitor APIs
Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.
For more information, see Connectivity modes and requirements.
Azure Arc-enabled servers
Connectivity to Arc-enabled server endpoints is required for:
SQL Server enabled by Azure Arc
Azure Arc-enabled VMware vSphere (preview) *
Azure Arc-enabled System Center Virtual Machine Manager (preview) *
Azure Arc-enabled Azure Stack (HCI) (preview) *
*Only required for guest management enabled.
Azure Arc-enabled server endpoints are required for all server based Arc offerings.
Networking configuration
The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .
Note
Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent.
If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.
Service tags
Be sure to allow access to the following Service Tags:
- AzureActiveDirectory
- AzureTrafficManager
- AzureResourceManager
- AzureArcInfrastructure
- Storage
- WindowsAdminCenter (if using Windows Admin Center to manage Arc-enabled servers)
For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
For more information, see Virtual network service tags.
URLs
The table below lists the URLs that must be available in order to install and use the Connected Machine agent.
Note
When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Endpoint used with private link column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.
| Agent resource | Description | When required | Endpoint used with private link |
|---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
packages.microsoft.com |
Used to download the Linux installation package | At installation time, only | Public |
login.windows.net |
Microsoft Entra ID | Always | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
pas.windows.net |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com |
Notification service for extension and connectivity scenarios | Always | Public |
azgn*.servicebus.windows.net |
Notification service for extension and connectivity scenarios | Always | Public |
*.servicebus.windows.net |
For Windows Admin Center and SSH scenarios | If using SSH or Windows Admin Center from Azure | Public |
*.waconazure.com |
For Windows Admin Center connectivity | If using Windows Admin Center | Public |
*.blob.core.windows.net |
Download source for Azure Arc-enabled servers extensions | Always, except when using private endpoints | Not used when private link is configured |
dc.services.visualstudio.com |
Agent telemetry | Optional, not used in agent versions 1.24+ | Public |
san-af-<region>-prod.azurewebsites.net |
Azure Arc data processing service | For SQL Server enabled by Azure Arc. The Azure Extension for SQL Server uploads inventory and billing information to the data processing service. | Public |
telemetry.<region>.arcdataservices.com |
For Arc SQL Server. Sends service telemetry and performance monitoring to Azure | Always | Public |
microsoft.com/pkiops/certs |
Certificate download for ESUs | ESUs enabled by Azure Arc | Public |
Note
To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder.
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.
For example: san-af-<region>-prod.azurewebsites.net should be san-af-eastus2-prod.azurewebsites.net in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
Transport Layer Security 1.2 protocol
To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.
| Platform/Language | Support | More Information |
|---|---|---|
| Linux | Linux distributions tend to rely on OpenSSL for TLS 1.2 support. | Check the OpenSSL Changelog to confirm your version of OpenSSL is supported. |
| Windows Server 2012 R2 and higher | Supported, and enabled by default. | To confirm that you are still using the default settings. |
Subset of endpoints for ESU only
If you are using Azure Arc-enabled servers only for the purpose of Extended Security Updates for Windows Server 2012, you can enable the following subset of endpoints:
| Agent resource | Description | When required | Endpoint used with private link |
|---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
login.windows.net |
Microsoft Entra ID | Always | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
microsoft.com/pkiops/certs |
Certificate download for ESUs | ESUs enabled by Azure Arc | Public |
For more information, see Connected Machine agent network requirements.
Azure Arc resource bridge
This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere (preview) and Azure Arc-enabled System Center Virtual Machine Manager (preview).
Outbound connectivity
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
Note
To configure SSL proxy and to view the exclusion list for no proxy, see Additional network requirements.
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) Dataplane service | 443 | https://*.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, https://ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Resource bridge (appliance) image download | 80 | msk8s.b.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Only needed for Arc Appliance CLI extension version 0.2.32 and below. Download the Arc Resource Bridge OS images. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Azure Arc for Kubernetes container image download | 443 | https://azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Used periodically to send Microsoft required diagnostic data and telemetry from within the appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Azure Arc for Kubernetes container image download | 443 | https://azurearcfork8sdev.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft Container Registry | 443 | https://mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Locations | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for use by the Custom Locations cluster extension. |
| Python package | 443 | *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Used periodically to send Microsoft required diagnostic data from control plane nodes. |
For more information, see Azure Arc resource bridge network requirements.
Azure Arc-enabled System Center Virtual Machine Manager
Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SCVMM management Server | 443 | URL of the SCVMM management server | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
For more information, see Overview of Arc-enabled System Center Virtual Machine Manager (preview).
Azure Arc-enabled VMware vSphere
Azure Arc-enabled VMware vSphere also requires:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| vCenter Server | 443 | URL of the vCenter server | Appliance VM IP and control plane endpoint need outbound connection. | Used to by the vCenter server to communicate with the Appliance VM and the control plane. |
For more information, see Support matrix for Azure Arc-enabled VMware vSphere.
Additional endpoints
Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:
Feedback
Submit and view feedback for