This topic describes the networking requirements for using the Connected Machine agent to onboard a physical server or virtual machine to Azure Arc-enabled servers.
Tip
For the Azure public cloud, you can reduce the number of required endpoints by using the Azure Arc gateway (preview).
Details
Generally, connectivity requirements include these principles:
All connections are TCP unless otherwise specified.
All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Azure Arc-enabled server endpoints are required for all server based Arc offerings.
Networking configuration
The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .
Note
Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.
If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.
Service tags
Be sure to allow access to the following Service Tags:
For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
If you filter traffic to the AzureArcInfrastructure service tag, you must allow traffic to the full service tag range. The ranges advertised for individual regions, for example AzureArcInfrastructure.AustraliaEast, do not include the IP ranges used by global components of the service. The specific IP address resolved for these endpoints may change over time within the documented ranges, so just using a lookup tool to identify the current IP address for a given endpoint and allowing access to that will not be sufficient to ensure reliable access.
When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Private link capable column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function. Network traffic is routed through private endpoint if a private link scope is assigned.
Agent resource
Description
When required
Private link capable
aka.ms
Used to resolve the download script during installation
At installation time, only
Public
download.microsoft.com
Used to download the Windows installation package
At installation time, only
Public
packages.microsoft.com
Used to download the Linux installation package
At installation time, only
Public
login.microsoftonline.com
Microsoft Entra ID
Always
Public
*login.microsoft.com
Microsoft Entra ID
Always
Public
pas.windows.net
Microsoft Entra ID
Always
Public
management.azure.com
Azure Resource Manager - to create or delete the Arc server resource
For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net. Beginning with March 12, 2024 both Azure Arc data processing, and Azure Arc data telemetry use *.<region>.arcdataservices.com.
Note
To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder. These endpoints may change periodically.
To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.
For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.
To see a list of all regions, run this command:
az account list-locations -o table
Get-AzLocation | Format-Table
Note
When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Endpoint used with private link column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.
Agent resource
Description
When required
Endpoint used with private link
aka.ms
Used to resolve the download script during installation
At installation time, only
Public
download.microsoft.com
Used to download the Windows installation package
At installation time, only
Public
packages.microsoft.com
Used to download the Linux installation package
At installation time, only
Public
login.microsoftonline.us
Microsoft Entra ID
Always
Public
pasff.usgovcloudapi.net
Microsoft Entra ID
Always
Public
management.usgovcloudapi.net
Azure Resource Manager - to create or delete the Arc server resource
Notification service for extension and connectivity scenarios
Always
azgn*.servicebus.chinacloudapi.cn
Notification service for extension and connectivity scenarios
Always
*.servicebus.chinacloudapi.cn
For Windows Admin Center and SSH scenarios
If using SSH or Windows Admin Center from Azure
*.blob.core.chinacloudapi.cn
Download source for Azure Arc-enabled servers extensions
Always, except when using private endpoints
dc.applicationinsights.azure.cn
Agent telemetry
Optional, not used in agent versions 1.24+
Transport Layer Security 1.2 protocol
To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.
Platform/Language
Support
More Information
Linux
Linux distributions tend to rely on OpenSSL for TLS 1.2 support.
Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Extension management and guest configuration services
Always
Private
www.microsoft.com/pkiops/certs
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443)
Always for automatic updates, or temporarily if downloading certificates manually.
Public
*.blob.core.usgovcloudapi.net
Download Sql Server Extension package
SQL Server ESUs
Not required if using Private Link
Note
Azure Arc-enabled servers used for Extended Security Updates for Windows Server 2012 is not available in Microsoft Azure operated by 21Vianet regions at this time.
Before you deploy the Azure Connected Machine agent and integrate with other Azure management and monitoring services, review the Planning and deployment guide.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Learn about design considerations and recommendations for network connectivity of Azure Arc-enabled servers to manage physical servers and virtual machines.
This article tells how to troubleshoot and resolve issues with the Connected Machine agent that arise with Azure Arc-enabled servers when trying to connect to the service.
Learn how to enable a large number of machines to Azure Arc-enabled servers to simplify configuration of essential security, management, and monitoring capabilities in Azure.