Overview of Arc-enabled System Center Virtual Machine Manager (preview)

Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) empowers System Center customers to connect their VMM environment to Azure and perform VM self-service operations from Azure portal. With Azure Arc-enabled SCVMM, you get a consistent management experience across Azure.

Azure Arc-enabled System Center Virtual Machine Manager allows you to manage your Hybrid environment and perform self-service VM operations through Azure portal. For Microsoft Azure Pack customers, this solution is intended as an alternative to perform VM self-service operations.

Arc-enabled System Center VMM allows you to:

  • Perform various VM lifecycle operations such as start, stop, pause, delete VMs on VMM managed VMs directly from Azure.
  • Empower developers and application teams to self-serve VM operations on-demand using Azure role-based access control (RBAC).
  • Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you a single pane view for your infrastructure across both environments.
  • Discover and onboard existing SCVMM managed VMs to Azure.

How does it work?

To Arc-enable a System Center VMM management server, deploy Azure Arc resource bridge (preview) in the VMM environment. Arc resource bridge is a virtual appliance that connects VMM management server to Azure. Azure Arc resource bridge (preview) enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and do various operations on them.

Architecture

The following image shows the architecture for the Arc-enabled SCVMM:

Screenshot of Arc enabled SCVMM - architecture.

Supported VMM versions

Azure Arc-enabled SCVMM works with VMM 2016, 2019 and 2022 versions and supports SCVMM management servers with a maximum of 3500 VMS.

Supported scenarios

The following scenarios are supported in Azure Arc-enabled SCVMM (preview):

  • SCVMM administrators can connect a VMM instance to Azure and browse the SCVMM virtual machine inventory in Azure.
  • Administrators can use the Azure portal to browse SCVMM inventory and register SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.
  • Administrators can provide app teams/developers fine-grained permissions on those SCVMM resources through Azure RBAC.
  • App teams can use Azure interfaces (portal, CLI, or REST API) to manage the lifecycle of on-premises VMs they use for deploying their applications (CRUD, Start/Stop/Restart).

Supported regions

Azure Arc-enabled SCVMM (preview) is currently supported in the following regions:

  • East US
  • West Europe

Resource bridge networking requirements

The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:

Outbound connectivity

The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

Firewall/Proxy URL allowlist

Service Port URL Direction Notes
SFS API endpoint 443 msk8s.api.cdp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Used when downloading product catalog, product bits, and OS images from SFS.
Resource bridge (appliance) Dataplane service 443 https://*.dp.prod.appliances.azure.com Appliance VM IP and Control Plane IP need outbound connection. Communicate with resource provider in Azure.
Resource bridge (appliance) container image download 443 *.blob.core.windows.net, https://ecpacr.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Required to pull container images.
Resource bridge (appliance) image download 80 msk8s.b.tlu.dl.delivery.mp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Download the Arc Resource Bridge OS images.
Resource bridge (appliance) image download 443 msk8s.sb.tlu.dl.delivery.mp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Download the Arc Resource Bridge OS images.
Azure Arc for Kubernetes container image download 443 https://azurearcfork8sdev.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Required to pull container images.
ADHS telemetry service 443 adhs.events.data.microsoft.com Appliance VM IP and Control Plane IP need outbound connection. Runs inside the appliance/mariner OS. Used periodically to send Microsoft required diagnostic data from control plane nodes. Used when telemetry is coming off Mariner, which would mean any Kubernetes control plane.
Microsoft events data service 443 v20.events.data.microsoft.com Appliance VM IP and Control Plane IP need outbound connection. Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI.

SSL proxy configuration

Azure Arc resource bridge must be configured for proxy so that it can connect to the Azure services. This configuration is handled automatically. However, proxy configuration of the management machine isn't configured by the Azure Arc resource bridge.

There are only two certificates that should be relevant when deploying the Arc resource bridge behind an SSL proxy: the SSL certificate for your SSL proxy (so that the host and guest trust your proxy FQDN and can establish an SSL connection to it), and the SSL certificate of the Microsoft download servers. This certificate must be trusted by your proxy server itself, as the proxy is the one establishing the final connection and needs to trust the endpoint. Non-Windows machines may not trust this second certificate by default, so you may need to ensure that it's trusted.

In addition, SCVMM requires the following exception:

Service Port URL Direction Notes
SCVMM management Server 443 URL of the SCVMM management server Appliance VM IP and control plane endpoint need outbound connection. Used by the SCVMM server to communicate with the Appliance VM and the control plane.

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents meet the network requirements in this article.

For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).

Next steps

See how to create a Azure Arc VM