Azure Arc resource bridge (preview) network requirements
This article describes the networking requirements for deploying Azure Arc resource bridge (preview) in your enterprise.
Configuration requirements
Static Configuration
Static configuration is recommended for Arc resource bridge because the resource bridge needs three static IPs in the same subnet for the control plane, appliance VM, and reserved appliance VM (for upgrade). The control plane corresponds to the controlplanenedpoint parameter, the appliance VM IP to k8snodeippoolstart, and reserved appliance VM to k8snodeippoolend in the createconfig command that creates the bridge configuration files. If using DHCP, reserve those IP addresses, ensuring they are outside the DHCP range.
IP Address Prefix
The subnet of the IP addresses for Arc resource bridge must lie in the IP address prefix that is passed in the ipaddressprefix parameter of the createconfig command. The IP address prefix is the IP prefix that is exposed by the network to which Arc resource bridge is connected. It is entered as the subnet's IP address range for the virtual network and subnet mask (IP Mask) in CIDR notation, for example 192.168.7.1/24. Consult your system or network administrator to obtain the IP address prefix in CIDR notation. An IP Subnet CIDR calculator may be used to obtain this value.
DNS Server
DNS Server must have internal and external endpoint resolution. The appliance VM and control plane need to resolve the management machine and vice versa. All three must be able to reach the required URLs for deployment.
General network requirements
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents meet the network requirements in this article.
Outbound connectivity
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
Note
To configure SSL proxy and to view the exclusion list for no proxy, see Additional network requirements.
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine, Appliance VM IPs and Control Plane IP need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) Dataplane service | 443 | https://*.dp.prod.appliances.azure.com |
Appliance VMs IP and Control Plane IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, https://ecpacr.azurecr.io |
Appliance VM IPs and Control Plane IP need outbound connection. | Required to pull container images. |
| Resource bridge (appliance) image download | 80 | msk8s.b.tlu.dl.delivery.mp.microsoft.com |
Management machine, Appliance VM IPs and Control Plane IP need outbound connection. | Download the Arc Resource Bridge OS images. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine, Appliance VM IPs and Control Plane IP need outbound connection. | Download the Arc Resource Bridge OS images. |
| Azure Arc for Kubernetes container image download | 443 | https://azurearcfork8s.azurecr.io |
Appliance VM IPs and Control Plane IP need outbound connection. | Required to pull container images. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs and Control Plane IP need outbound connection. | Runs inside the appliance/mariner OS. Used periodically to send Microsoft required diagnostic data from control plane nodes. Used when telemetry is coming off Mariner, which would mean any Kubernetes control plane. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs and Control Plane IP need outbound connection. | Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs and Control Plane IP need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs and Control Plane IP need outbound connection. | Required to pull artifacts for Appliance managed components. |
| Microsoft Container Registry | 443 | https://mcr.microsoft.com |
Management machine, Appliance VM IPs and Control Plane IP need outbound connection. | Download container images for Arc Resource Bridge. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Locations | 443 | sts.windows.net |
Appliance VM IPs and Control Plane IP need outbound connection. | Required for use by the Custom Locations cluster extension. |
| Python package | 443 | *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Used periodically to send Microsoft required diagnostic data from control plane nodes. |
Additional network requirements
In addition, resource bridge (preview) requires connectivity to the Arc-enabled Kubernetes endpoints.
Note
The URLs listed here are required for Arc resource bridge only. Other Arc products (such as Arc-enabled VMware vSphere) may have additional required URLs. For details, see Azure Arc network requirements.
SSL proxy configuration
If using a proxy, Arc resource bridge must be configured for proxy so that it can connect to the Azure services. To configure the Arc resource bridge with proxy, provide the proxy certificate file path during creation of the configuration files. Only pass the single proxy certificate. If a certificate bundle is passed then the deployment will fail. The proxy server endpoint can't be a .local domain. Proxy configuration of the management machine isn't configured by Arc resource bridge.
There are only two certificates that should be relevant when deploying the Arc resource bridge behind an SSL proxy: the SSL certificate for your SSL proxy (so that the managment machine and on-premises appliance VM trust your proxy FQDN and can establish an SSL connection to it), and the SSL certificate of the Microsoft download servers. This certificate must be trusted by your proxy server itself, as the proxy is the one establishing the final connection and needs to trust the endpoint. Non-Windows machines may not trust this second certificate by default, so you may need to ensure that it's trusted.
In order to deploy Arc resource bridge, images need to be downloaded to the management machine and then uploaded to the on-premises private cloud gallery. If your proxy server throttles download speed, this may impact your ability to download the required images (~3 GB) within the alotted time (90 min).
Exclusion list for no proxy
The following table contains the list of addresses that must be excluded by using the -noProxy parameter in the createconfig command.
| IP Address | Reason for exclusion |
|---|---|
| localhost, 127.0.0.1 | Localhost traffic |
| .svc | Internal Kubernetes service traffic (.svc) where .svc represents a wildcard name. This is similar to saying *.svc, but none is used in this schema. |
| 10.0.0.0/8 | private network address space |
| 172.16.0.0/12 | Private network address space - Kubernetes Service CIDR |
| 192.168.0.0/16 | Private network address space - Kubernetes Pod CIDR |
| .contoso.com | You may want to exempt your enterprise namespace (.contoso.com) from being directed through the proxy. To exclude all addresses in a domain, you must add the domain to the noProxy list. Use a leading period rather than a wildcard (*) character. In the sample, the addresses .contoso.com excludes addresses prefix1.contoso.com, prefix2.contoso.com, and so on. |
The default value for noProxy is localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. While these default values will work for many networks, you may need to add more subnet ranges and/or names to the exemption list. For example, you may want to exempt your enterprise namespace (.contoso.com) from being directed through the proxy. You can achieve that by specifying the values in the noProxy list.
Next steps
- Review the Azure Arc resource bridge (preview) overview to understand more about requirements and technical details.
- Learn about security configuration and considerations for Azure Arc resource bridge (preview).
Feedback
Submit and view feedback for