Simplify outbound network requirements for existing Azure Local instances, version 23H2 through Azure Arc gateway (preview)

Applies to: Azure Local, version 23H2

This article describes how to set up an Azure Arc Gateway for existing deployments of Azure Local running software version 2405.

You can use the Arc gateway to significantly reduce the number of required endpoints needed to deploy and manage Azure Local instances. You can enable the Arc gateway for new deployments or for existing deployments.

Important

This feature is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Before you start, make sure that you have:

Enable Arc gateway for existing Azure Local deployments

The following steps are required to enable the Azure Arc gateway on existing Azure Local 2405 deployments.

  1. Create the Arc gateway resource in Azure (prerequisite).
  2. Associate the Arc gateway resource with your existing Azure Local instance.
  3. Update Arc agent configuration on each deployed Azure Local machine to use the Arc gateway ID.
  4. Await reconciliation.
  5. Verify that supported endpoints are redirected through the Arc gateway.

Step 1: Associate the Arc gateway resource with your existing Azure Local instance

Run the following az commands from a remote computer with internet access. You can use the same computer you used to create the Arc gateway resource in Azure. It isn't supported to run these commands from the Azure Local machines.

[Optional step] Download the az connectedmachine.whl file extension if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.

[Optional step] Install the Azure Command Line Interface (CLI) if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.

[Optional step] Run the following command to add the az connected machine extension if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.

az extension add --allow-preview true --yes --source [whl file path] 

Associate each existing machine in the system with the Arc gateway resource. Run the following command:

az connectedmachine setting update --resource-group [res-group] --subscription [subscription name] --base-provider Microsoft.HybridCompute --base-resource-type machines --base-resource-name [Arc server resource name] --settings-resource-name default --gateway-resource-id [Full Arm resourceid]

Step 2: Update the machine to use the Arc gateway resource

Update each Azure Local machine in the system to use the Arc gateway resource. Run the following command locally on your Azure Local machines to set the Arc agents to start using the Arc gateway.

azcmagent config set connection.type gateway

Step 3: Await reconciliation

Await reconciliation. Once your machines have been updated to use the Arc gateway, some Azure Arc endpoints that were previously allowed in your proxy or firewalls, aren't needed any longer. Wait one hour before you begin removing endpoints from your firewall or proxy.

Next step is to verify that the setup was successful.

Step 4: Verify that setup succeeded

Once the deployment validation starts, connect to the first server node from your cluster and open the Arc gateway log to monitor which endpoints are being redirected to the Arc gateway and which ones keep using your firewall or proxy security solutions. You should find the Arc gateway sign in c:\programdata\AzureConnectedMAchineAgent\Log\arcproxy.log.

Screenshot of location of log file for Azure Arc gateway.

  1. To check the Arc agent configuration and verify that it is using the gateway, connect to the Azure Local machine.

  2. Run the following command: "c:\program files\AzureConnectedMachineAgent>.\azcmagent show". The result should show the following values:

    Screenshot of Azure Arc gateway connected machine agent output window.

    • Agent Version should show as 1.40 or later.
    • Agent Status should show as Connected.
    • Using HTTPS Proxy is empty when Arc gateway isn't in use. It should show as http://localhost:40343 when the Arc gateway is enabled.
    • Upstream Proxy always shows as empty for Azure Local as it uses the environment variables to configure the Arc agent.
    • Upstream Proxy Bypass List should show your bypass list.
    • Azure Arc Proxy (arcproxy) shows as Stopped when Arc gateway isn't in use and shows as Running when Arc gateway is enabled.
  3. Verify that setup was successful by running the "c:\program files\AzureConnectedMachineAgent>.\azcmagent check" command. The result should show the following values:

    Screenshot of successful verification from the output of azcmagent check command.

    • connection.type should show as gateway.

    • Reachable column should list true for all URLs.

Troubleshooting

You can audit Arc gateway traffic by viewing the gateway router logs.

Follow these steps to view the logs:

  1. Run the azcmagent logs command.

  2. In the resulting .zip file, view the logs in the C:\ProgramData\Microsoft\ArcGatewayRouter folder.

Next steps

Deploy workloads on your Azure Local instance: