Azure Arc network requirements
This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Azure Arc-enabled Kubernetes endpoints
Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:
- Azure Arc-enabled Kubernetes
- Azure Arc-enabled App services
- Azure Arc-enabled Machine Learning
- Azure Arc-enabled data services (direct connectivity mode only)
Important
Azure Arc agents require the following outbound URLs on https://:443 to function.
For *.servicebus.windows.net, websockets need to be enabled for outbound access on firewall and proxy.
| Endpoint (DNS) | Description |
|---|---|
https://management.azure.com |
Required for the agent to connect to Azure and register the cluster. |
https://<region>.dp.kubernetesconfiguration.azure.com |
Data plane endpoint for the agent to push status and fetch configuration information. |
https://login.microsoftonline.comhttps://<region>.login.microsoft.comlogin.windows.net |
Required to fetch and update Azure Resource Manager tokens. |
https://mcr.microsoft.comhttps://*.data.mcr.microsoft.com |
Required to pull container images for Azure Arc agents. |
https://gbl.his.arc.azure.com |
Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
https://*.his.arc.azure.com |
Required to pull system-assigned Managed Identity certificates. |
https://k8connecthelm.azureedge.net |
az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
guestnotificationservice.azure.com*.guestnotificationservice.azure.comsts.windows.nethttps://k8sconnectcsp.azureedge.net |
For Cluster Connect and for Custom Location based scenarios. |
*.servicebus.windows.net |
For Cluster Connect and for Custom Location based scenarios. |
https://graph.microsoft.com/ |
Required when Azure RBAC is configured. |
*.arc.azure.net |
Required to manage connected clusters in Azure portal. |
https://<region>.obo.arc.azure.com:8084/ |
Required when Cluster Connect is configured. |
dl.k8s.io |
Required when automatic agent upgrade is enabled. |
To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command:
GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.
For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
For more information, see Azure Arc-enabled Kubernetes network requirements.
Azure Arc-enabled data services
This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| Helm chart (direct connected mode only) | 443 | arcdataservicesrow1.azurecr.io |
Outbound | Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry. |
| Azure monitor APIs * | 443 | *.ods.opinsights.azure.com*.oms.opinsights.azure.com*.monitoring.azure.com |
Outbound | Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See Azure Monitor APIs. |
| Azure Arc data processing service * | 443 | *.<region>.arcdataservices.com 2 |
Outbound |
1 Requirement depends on deployment mode:
- For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service.
- For indirect mode, the machine that runs
az arcdata dc uploadneeds to have the outbound connectivity to Azure Monitor and Data Processing Service.
2 For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net.
Azure Monitor APIs
Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.
For more information, see Connectivity modes and requirements.
Azure Arc-enabled servers
Connectivity to Arc-enabled server endpoints is required for:
SQL Server enabled by Azure Arc
Azure Arc-enabled VMware vSphere *
Azure Arc-enabled System Center Virtual Machine Manager *
Azure Arc-enabled Azure Stack (HCI) *
*Only required for guest management enabled.
Azure Arc-enabled server endpoints are required for all server based Arc offerings.
Networking configuration
The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .
Note
Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.
If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.
Service tags
Be sure to allow access to the following Service Tags:
- AzureActiveDirectory
- AzureTrafficManager
- AzureResourceManager
- AzureArcInfrastructure
- Storage
- WindowsAdminCenter (if using Windows Admin Center to manage Arc-enabled servers)
For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
For more information, see Virtual network service tags.
URLs
The table below lists the URLs that must be available in order to install and use the Connected Machine agent.
Note
When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Endpoint used with private link column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.
| Agent resource | Description | When required | Endpoint used with private link |
|---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
packages.microsoft.com |
Used to download the Linux installation package | At installation time, only | Public |
login.windows.net |
Microsoft Entra ID | Always | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
pas.windows.net |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com |
Notification service for extension and connectivity scenarios | Always | Public |
azgn*.servicebus.windows.net |
Notification service for extension and connectivity scenarios | Always | Public |
*.servicebus.windows.net |
For Windows Admin Center and SSH scenarios | If using SSH or Windows Admin Center from Azure | Public |
*.waconazure.com |
For Windows Admin Center connectivity | If using Windows Admin Center | Public |
*.blob.core.windows.net |
Download source for Azure Arc-enabled servers extensions | Always, except when using private endpoints | Not used when private link is configured |
dc.services.visualstudio.com |
Agent telemetry | Optional, not used in agent versions 1.24+ | Public |
*.<region>.arcdataservices.com 1 |
For Arc SQL Server. Sends data processing service, service telemetry, and performance monitoring to Azure. Allows TLS 1.3. | Always | Public |
www.microsoft.com/pkiops/certs |
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) | If using ESUs enabled by Azure Arc. Required always for automatic updates, or temporarily if downloading certificates manually. | Public |
1 For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net. Beginning with March 12, 2024 both Azure Arc data processing, and Azure Arc data telemetry use *.<region>.arcdataservices.com.
Note
To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder.
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.
For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
Transport Layer Security 1.2 protocol
To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.
| Platform/Language | Support | More Information |
|---|---|---|
| Linux | Linux distributions tend to rely on OpenSSL for TLS 1.2 support. | Check the OpenSSL Changelog to confirm your version of OpenSSL is supported. |
| Windows Server 2012 R2 and higher | Supported, and enabled by default. | To confirm that you are still using the default settings. |
Subset of endpoints for ESU only
If you're using Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:
- Windows Server 2012
- SQL Server 2012
You can enable the following subset of endpoints:
| Agent resource | Description | When required | Endpoint used with private link |
|---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
login.windows.net |
Microsoft Entra ID | Always | Public |
login.microsoftonline.com |
Microsoft Entra ID | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com |
Extension management and guest configuration services | Always | Private |
www.microsoft.com/pkiops/certs |
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) | Always for automatic updates, or temporarily if downloading certificates manually. | Public |
*.<region>.arcdataservices.com |
Azure Arc data processing service and service telemetry. | SQL Server ESUs | Public |
For more information, see Connected Machine agent network requirements.
Azure Arc resource bridge
This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere and Azure Arc-enabled System Center Virtual Machine Manager.
Outbound connectivity
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
| Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
| Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
| Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
| Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
| Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
| Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
| Python package | 443 | pypi.org, *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | pythonhosted.org, *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
| SSH | 22 | Arc resource bridge appliance VM IPs |
Management machine needs outbound connection. | Used for troubleshooting the appliance VM. |
| Kubernetes API server | 6443 | Arc resource bridge appliance VM IPs |
Management machine needs outbound connection. | Management of appliance VM. |
For more information, see Azure Arc resource bridge network requirements.
Azure Arc-enabled System Center Virtual Machine Manager
Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SCVMM management Server | 443 | URL of the SCVMM management server | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
For more information, see Overview of Arc-enabled System Center Virtual Machine Manager.
Azure Arc-enabled VMware vSphere
Azure Arc-enabled VMware vSphere also requires:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| vCenter Server | 443 | URL of the vCenter server | Appliance VM IP and control plane endpoint need outbound connection. | Used to by the vCenter server to communicate with the Appliance VM and the control plane. |
For more information, see Support matrix for Azure Arc-enabled VMware vSphere.
Additional endpoints
Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for