Azure Arc resource bridge system requirements

This article describes the system requirements for deploying Azure Arc resource bridge.

Arc resource bridge is used with other partner products, such as Azure Stack HCI, Arc-enabled VMware vSphere, and Arc-enabled System Center Virtual Machine Manager (SCVMM). These products may have additional requirements.

Required Azure permissions

  • To onboard Arc resource bridge, you must have the Contributor role for the resource group.

  • To read, modify, and delete Arc resource bridge, you must have the Contributor role for the resource group.

Management tool requirements

Azure CLI is required to deploy the Azure Arc resource bridge on supported private cloud environments.

If deploying Arc resource bridge on VMware, Azure CLI 64-bit is required to be installed on the management machine to run the deployment commands.

If deploying on Azure Stack HCI, then Azure CLI 32-bit should be installed on the management machine.

Arc Appliance CLI extension, arcappliance, needs to be installed on the CLI. This can be done by running: az extension add --name arcappliance

Minimum resource requirements

Arc resource bridge has the following minimum resource requirements:

  • 50 GB disk space
  • 4 vCPUs
  • 8 GB memory

These minimum requirements enable most scenarios. However, a partner product may support a higher resource connection count to Arc resource bridge, which requires the bridge to have higher resource requirements. Failure to provide sufficient resources may cause errors during deployment, such as disk copy errors. Review the partner product's documentation for specific resource requirements.

IP address prefix (subnet) requirements

The IP address prefix (subnet) where Arc resource bridge will be deployed requires a minimum prefix of /29. The IP address prefix must have enough available IP addresses for the gateway IP, control plane IP, appliance VM IP, and reserved appliance VM IP. Please work with your network engineer to ensure that there is an available subnet with the required available IP addresses and IP address prefix for Arc resource bridge.

The IP address prefix is the subnet's IP address range for the virtual network and subnet mask (IP Mask) in CIDR notation, for example 192.168.7.1/24. You provide the IP address prefix (in CIDR notation) during the creation of the configuration files for Arc resource bridge.

Consult your network engineer to obtain the IP address prefix in CIDR notation. An IP Subnet CIDR calculator may be used to obtain this value.

Static IP configuration

If deploying Arc resource bridge to a production environment, static configuration must be used when deploying Arc resource bridge. Static IP configuration is used to assign three static IPs (that are in the same subnet) to the Arc resource bridge control plane, appliance VM, and reserved appliance VM.

DHCP is only supported in a test environment for testing purposes only for VM management on Azure Stack HCI, and it should not be used in a production environment. DHCP isn't supported on any other Arc-enabled private cloud, including Arc-enabled VMware, Arc for AVS, or Arc-enabled SCVMM. If using DHCP, you must reserve the IP addresses used by the control plane and appliance VM. In addition, these IPs must be outside of the assignable DHCP range of IPs. Ex: The control plane IP should be treated as a reserved/static IP that no other machine on the network will use or receive from DHCP. If the control plane IP or appliance VM IP changes (ex: due to an outage, this impacts the resource bridge availability and functionality.

Management machine requirements

The machine used to run the commands to deploy and maintain Arc resource bridge is called the management machine.

Management machine requirements:

  • Azure CLI x64 installed
  • Open communication to Control Plane IP (controlplaneendpoint parameter in createconfig command)
  • Open communication to Appliance VM IP
  • Open communication to the reserved Appliance VM IP
  • if applicable, communication over port 443 to the private cloud management console (ex: VMware vCenter host machine)
  • Internal and external DNS resolution. The DNS server must resolve internal names, such as the vCenter endpoint for vSphere or cloud agent service endpoint for Azure Stack HCI. The DNS server must also be able to resolve external addresses that are required URLs for deployment.
  • Internet access

Appliance VM IP address requirements

Arc resource bridge consists of an appliance VM that is deployed on-premises. The appliance VM has visibility into the on-premises infrastructure and can tag on-premises resources (guest management) for projection into Azure Resource Manager (ARM).

The appliance VM is assigned an IP address from the k8snodeippoolstart parameter in the createconfig command; it may be referred to in partner products as Start Range IP, RB IP Start or VM IP 1.

The appliance VM IP is the starting IP address for the appliance VM IP pool range. The VM IP pool range requires a minimum of 2 IP addresses.

Appliance VM IP address requirements:

  • Open communication with the management machine and management endpoint (such as vCenter for VMware or MOC cloud agent service endpoint for Azure Stack HCI).

  • Internet connectivity to required URLs enabled in proxy/firewall.

  • Static IP assigned (strongly recommended)

    • If using DHCP, then the address must be reserved and outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.
  • Must be from within the IP address prefix.

  • Internal and external DNS resolution.

  • If using a proxy, the proxy server has to be reachable from this IP and all IPs within the VM IP pool.

Reserved appliance VM IP requirements

Arc resource bridge reserves an additional IP address to be used for the appliance VM upgrade.

The reserved appliance VM IP is assigned an IP address via the k8snodeippoolend parameter in the az arcappliance createconfig command. This IP address may be referred to as End Range IP, RB IP End, or VM IP 2.

The reserved appliance VM IP is the ending IP address for the appliance VM IP pool range. If specifying an IP pool range larger than two IP addresses, the additional IPs are reserved.

Reserved appliance VM IP requirements:

  • Open communication with the management machine and management endpoint (such as vCenter for VMware or MOC cloud agent service endpoint for Azure Stack HCI).

  • Internet connectivity to required URLs enabled in proxy/firewall.

  • Static IP assigned (strongly recommended)

    • If using DHCP, then the address must be reserved and outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

    • Must be from within the IP address prefix.

    • Internal and external DNS resolution.

    • If using a proxy, the proxy server has to be reachable from this IP and all IPs within the VM IP pool.

Control plane IP requirements

The appliance VM hosts a management Kubernetes cluster with a control plane that requires a single, static IP address. This IP is assigned from the controlplaneendpoint parameter in the createconfig command or equivalent configuration files creation command.

Control plane IP requirements:

  • Open communication with the management machine.

    • Static IP address assigned; the IP address should be outside the DHCP range but still available on the network segment. This IP address can't be assigned to any other machine on the network.
    • If using DHCP, the control plane IP should be a single reserved IP that is outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.
  • If using a proxy, the proxy server has to be reachable from IPs within the IP address prefix, including the reserved appliance VM IP.

DNS server

DNS server(s) must have internal and external endpoint resolution. The appliance VM and control plane need to resolve the management machine and vice versa. All three IPs must be able to reach the required URLs for deployment.

Gateway

The gateway IP should be an IP from within the subnet designated in the IP address prefix.

Example minimum configuration for static IP deployment

The following example shows valid configuration values that can be passed during configuration file creation for Arc resource bridge. It is strongly recommended to use static IP addresses when deploying Arc resource bridge.

Notice that the IP addresses for the gateway, control plane, appliance VM and DNS server (for internal resolution) are within the IP address prefix. This key detail helps ensure successful deployment of the appliance VM.

IP Address Prefix (CIDR format): 192.168.0.0/29

Gateway (IP format): 192.168.0.1

VM IP Pool Start (IP format): 192.168.0.2

VM IP Pool End (IP format): 192.168.0.3

Control Plane IP (IP format): 192.168.0.4

DNS servers (IP list format): 192.168.0.1, 10.0.0.5, 10.0.0.6

User account and credentials

Arc resource bridge may require a separate user account with the necessary roles to view and manage resources in the on-premises infrastructure (such as Arc-enabled VMware vSphere). If so, during creation of the configuration files, the username and password parameters will be required. The account credentials are then stored in a configuration file locally within the appliance VM.

Warning

Arc resource bridge can only use a user account that does not have multifactor authentication enabled. If the user account is set to periodically change passwords, the credentials must be immediately updated on the resource bridge. This user account can also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center.

For example, with Arc-enabled VMware, Arc resource bridge needs a separate user account for vCenter with the necessary roles. If the credentials for the user account change, then the credentials stored in Arc resource bridge must be immediately updated by running az arcappliance update-infracredentials from the management machine. Otherwise, the appliance will make repeated attempts to use the expired credentials to access vCenter, which will result in a lockout of the account.

Configuration files

Arc resource bridge consists of an appliance VM that is deployed in the on-premises infrastructure. To maintain the appliance VM, the configuration files generated during deployment must be saved in a secure location and made available on the management machine.

There are several different types of configuration files, based on the on-premises infrastructure.

Appliance configuration files

Three configuration files are created when the createconfig command completes (or the equivalent commands used by Azure Stack HCI): <appliance-name>-resource.yaml, <appliance-name>-appliance.yaml and <appliance-name>-infra.yaml.

By default, these files are generated in the current CLI directory when createconfig completes. These files should be saved in a secure location on the management machine, because they're required for maintaining the appliance VM. Because the configuration files reference each other, all three files must be stored in the same location. If the files are moved from their original location at deployment, open the files to check that the reference paths to the configuration files are accurate.

Kubeconfig

The appliance VM hosts a management Kubernetes cluster. The kubeconfig is a low-privilege Kubernetes configuration file that is used to maintain the appliance VM. By default, it's generated in the current CLI directory when the deploy command completes. The kubeconfig should be saved in a secure location on the management machine, because it's required for maintaining the appliance VM. If the kubeconfig is lost, it can be retrieved by running the az arcappliance get-credentials command.

HCI login configuration file (Azure Stack HCI only)

Arc resource bridge uses a MOC login credential called KVA token (kvatoken.tok) to interact with Azure Stack HCI. The KVA token is generated with the appliance configuration files when deploying Arc resource bridge. This token is also used when collecting logs for Arc resource bridge, so it should be saved in a secure location with the rest of the appliance configuration files. This file is saved in the directory provided during configuration file creation or the default CLI directory.

Next steps