Azure Arc resource bridge security overview
This article describes the security configuration and considerations you should evaluate before deploying Azure Arc resource bridge in your enterprise.
Using a managed identity
By default, a Microsoft Entra system-assigned managed identity is created and assigned to the Azure Arc resource bridge. Azure Arc resource bridge currently supports only a system-assigned identity. The clusteridentityoperator identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
Identity and access control
Azure Arc resource bridge is represented as a resource in a resource group inside an Azure subscription. Access to this resource is controlled by standard Azure role-based access control. From the Access Control (IAM) page in the Azure portal, you can verify who has access to your Azure Arc resource bridge.
Users and applications who are granted the Contributor or Administrator role to the resource group can make changes to the resource bridge, including deploying or deleting cluster extensions.
Data residency
Azure Arc resource bridge follows data residency regulations specific to each region. If applicable, data is backed up in a secondary pair region in accordance with data residency regulations. Otherwise, data resides only in that specific region. Data isn't stored or processed across different geographies.
Data encryption at rest
Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in Encryption at rest in Azure Cosmos DB, all the data is encrypted at rest.
Security audit logs
The activity log is an Azure platform log that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can view the activity log in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are retained for 90 days and then deleted.
Next steps
- Understand system requirements and network requirements for Azure Arc resource bridge.
- Review the Azure Arc resource bridge overview to understand more about features and benefits.
- Learn more about Azure Arc.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for