Support matrix for Azure Arc-enabled VMware vSphere (preview)

This article documents the prerequisites and support requirements for using Azure Arc-enabled VMware vSphere (preview) to manage your VMware vSphere VMs through Azure Arc.

To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge (preview) in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.

VMware vSphere requirements

The following requirements must be met in order to use Azure Arc-enabled VMware vSphere.

Supported vCenter Server versions

Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7 and 7.

Note

Azure Arc-enabled VMware vSphere (preview) currently supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it is not recommended to use Arc-enabled VMware vSphere with it at this point.

Required vSphere account privileges

You need a vSphere account that can:

  • Read all inventory.
  • Deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.

This account is used for the ongoing operation of Azure Arc-enabled VMware vSphere (preview) and the deployment of the Azure Arc resource bridge (preview) VM.

Resource bridge resource requirements

For Arc-enabled VMware vSphere, resource bridge has the following minimum virtual hardware requirements

  • 16 GB of memory
  • 4 vCPUs
  • An external virtual switch that can provide access to the internet directly or through a proxy. If internet access is through a proxy or firewall, ensure these URLs are allow-listed.

Resource bridge networking requirements

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents meet the network requirements in this article.

The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:

Outbound connectivity

The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

Firewall/Proxy URL allowlist

Service Port URL Direction Notes
SFS API endpoint 443 msk8s.api.cdp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Used when downloading product catalog, product bits, and OS images from SFS.
Resource bridge (appliance) Dataplane service 443 https://*.dp.prod.appliances.azure.com Appliance VM IP and Control Plane IP need outbound connection. Communicate with resource provider in Azure.
Resource bridge (appliance) container image download 443 *.blob.core.windows.net, https://ecpacr.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Required to pull container images.
Resource bridge (appliance) image download 80 msk8s.b.tlu.dl.delivery.mp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Download the Arc Resource Bridge OS images.
Resource bridge (appliance) image download 443 msk8s.sb.tlu.dl.delivery.mp.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Download the Arc Resource Bridge OS images.
Azure Arc for Kubernetes container image download 443 https://azurearcfork8sdev.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Required to pull container images.
ADHS telemetry service 443 adhs.events.data.microsoft.com Appliance VM IP and Control Plane IP need outbound connection. Runs inside the appliance/mariner OS. Used periodically to send Microsoft required diagnostic data from control plane nodes. Used when telemetry is coming off Mariner, which would mean any Kubernetes control plane.
Microsoft events data service 443 v20.events.data.microsoft.com Appliance VM IP and Control Plane IP need outbound connection. Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI.
Log collection for Arc Resource Bridge 443 linuxgeneva-microsoft.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Push logs for Appliance managed components.
Resource bridge components download 443 kvamanagementoperator.azurecr.io Appliance VM IP and Control Plane IP need outbound connection. Required to pull artifacts for Appliance managed components.
Microsoft Container Registry 443 https://mcr.microsoft.com Management machine, Appliance VM IP and Control Plane IP need outbound connection. Download container images for Arc Resource Bridge.
Custom Locations 443 sts.windows.net Appliance VM IP and Control Plane IP need outbound connection. Required for use by the Custom Locations cluster extension.

In addition, VMware VSphere requires the following exception:

Service Port URL Direction Notes
vCenter Server 443 URL of the vCenter server Appliance VM IP and control plane endpoint need outbound connection. Used to by the vCenter server to communicate with the Appliance VM and the control plane.

For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).

Azure role/permission requirements

The minimum Azure roles required for operations related to Arc-enabled VMware vSphere are as follows:

Operation Minimum role required Scope
Onboarding your vCenter Server to Arc Azure Arc VMware Private Clouds Onboarding On the subscription or resource group into which you want to onboard
Administering Arc-enabled VMware vSphere Azure Arc VMware Administrator On the subscription or resource group where vCenter server resource is created
VM Provisioning Azure Arc VMware Private Cloud User On the subscription or resource group that contains the resource pool/cluster/host, datastore and virtual network resources, or on the resources themselves
VM Provisioning Azure Arc VMware VM Contributor On the subscription or resource group where you want to provision VMs
VM Operations Azure Arc VMware VM Contributor On the subscription or resource group that contains the VM, or on the VM itself

Any roles with higher permissions on the same scope, such as Owner or Contributor, will also allow you to perform the operations listed above.

Guest management (Arc agent) requirements

With Arc-enabled VMware vSphere, you can install the Arc connected machine agent on your VMs at scale and use Azure management services on the VMs. There are additional requirements for this capability.

To enable guest management (install the Arc connected machine agent), ensure the following:

  • VM is powered on.
  • VM has VMware tools installed and running.
  • Resource bridge has access to the host on which the VM is running.
  • VM is running a supported operating system.
  • VM has internet connectivity directly or through proxy. If the connection is through a proxy, ensure these URLs are allow-listed.

Additionally, be sure that the requirements below are met in order to enable guest management.

Supported operating systems

Make sure you are using a version of the Windows or Linux operating systems that are officially supported for the Azure Connected Machine agent. Only x86-64 (64-bit) architectures are supported. x86 (32-bit) and ARM-based architectures, including x86-64 emulation on arm64, aren't supported operating environments.

Software requirements

Windows operating systems:

Linux operating systems:

  • systemd
  • wget (to download the installation script)

Networking requirements

The following firewall URL exceptions are needed for the Azure Arc agents:

URL Description
aka.ms Used to resolve the download script during installation
packages.microsoft.com Used to download the Linux installation package
download.microsoft.com Used to download the Windows installation package
login.windows.net Azure Active Directory
login.microsoftonline.com Azure Active Directory
pas.windows.net Azure Active Directory
management.azure.com Azure Resource Manager - to create or delete the Arc server resource
*.his.arc.azure.com Metadata and hybrid identity services
*.guestconfiguration.azure.com Extension management and guest configuration services
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com Notification service for extension and connectivity scenarios
azgn*.servicebus.windows.net Notification service for extension and connectivity scenarios
*.servicebus.windows.net For Windows Admin Center and SSH scenarios
*.blob.core.windows.net Download source for Azure Arc-enabled servers extensions
dc.services.visualstudio.com Agent telemetry

Next steps