Connected Machine agent network requirements

This topic describes the networking requirements for using the Connected Machine agent to onboard a physical server or virtual machine to Azure Arc-enabled servers.

Details

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.

Azure Arc-enabled server endpoints are required for all server based Arc offerings.

Networking configuration

The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.

To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .

Note

Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.

If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.

Service tags

Be sure to allow access to the following Service Tags:

For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.

For more information, see Virtual network service tags.

URLs

The table below lists the URLs that must be available in order to install and use the Connected Machine agent.

Note

When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Endpoint used with private link column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.

Agent resource Description When required Endpoint used with private link
aka.ms Used to resolve the download script during installation At installation time, only Public
download.microsoft.com Used to download the Windows installation package At installation time, only Public
packages.microsoft.com Used to download the Linux installation package At installation time, only Public
login.windows.net Microsoft Entra ID Always Public
login.microsoftonline.com Microsoft Entra ID Always Public
pas.windows.net Microsoft Entra ID Always Public
management.azure.com Azure Resource Manager - to create or delete the Arc server resource When connecting or disconnecting a server, only Public, unless a resource management private link is also configured
*.his.arc.azure.com Metadata and hybrid identity services Always Private
*.guestconfiguration.azure.com Extension management and guest configuration services Always Private
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com Notification service for extension and connectivity scenarios Always Public
azgn*.servicebus.windows.net Notification service for extension and connectivity scenarios Always Public
*.servicebus.windows.net For Windows Admin Center and SSH scenarios If using SSH or Windows Admin Center from Azure Public
*.waconazure.com For Windows Admin Center connectivity If using Windows Admin Center Public
*.blob.core.windows.net Download source for Azure Arc-enabled servers extensions Always, except when using private endpoints Not used when private link is configured
dc.services.visualstudio.com Agent telemetry Optional, not used in agent versions 1.24+ Public
san-af-<region>-prod.azurewebsites.net Azure Arc data processing service

Allows TLS 1.3.
For SQL Server enabled by Azure Arc. The Azure Extension for SQL Server uploads inventory and billing information to the data processing service. Public
telemetry.<region>.arcdataservices.com For Arc SQL Server. Sends service telemetry and performance monitoring to Azure.

Allows TLS 1.3.
Always Public
www.microsoft.com/pkiops/certs Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) If using ESUs enabled by Azure Arc. Required always for automatic updates, or temporarily if downloading certificates manually. Public

Note

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder.

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: san-af-<region>-prod.azurewebsites.net should be san-af-eastus2-prod.azurewebsites.net in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table
Get-AzLocation | Format-Table

Transport Layer Security 1.2 protocol

To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.

Platform/Language Support More Information
Linux Linux distributions tend to rely on OpenSSL for TLS 1.2 support. Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows Server 2012 R2 and higher Supported, and enabled by default. To confirm that you are still using the default settings.

Subset of endpoints for ESU only

If you're using Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:

  • Windows Server 2012
  • SQL Server 2012

You can enable the following subset of endpoints:

Agent resource Description When required Endpoint used with private link
aka.ms Used to resolve the download script during installation At installation time, only Public
download.microsoft.com Used to download the Windows installation package At installation time, only Public
login.windows.net Microsoft Entra ID Always Public
login.microsoftonline.com Microsoft Entra ID Always Public
management.azure.com Azure Resource Manager - to create or delete the Arc server resource When connecting or disconnecting a server, only Public, unless a resource management private link is also configured
*.his.arc.azure.com Metadata and hybrid identity services Always Private
*.guestconfiguration.azure.com Extension management and guest configuration services Always Private
www.microsoft.com/pkiops/certs Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) Always for automatic updates, or temporarily if downloading certificates manually. Public
san-af-<region>-prod.azurewebsites.net Azure Arc data processing service SQL Server ESUs Public

Next steps