Simplify outbound network requirements for existing Azure Local instances, version 23H2 through Azure Arc gateway (preview)
Applies to: Azure Local, version 23H2
This article describes how to set up an Azure Arc Gateway for existing deployments of Azure Local running software version 2405.
You can use the Arc gateway to significantly reduce the number of required endpoints needed to deploy and manage Azure Local instances. You can enable the Arc gateway for new deployments or for existing deployments.
Important
This feature is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Prerequisites
Before you start, make sure that you have:
- A completed Arc gateway Preview signup form.
- An Arc gateway resource in Azure. To create the resource, follow the steps in Create the Arc gateway resource in Azure.
- An existing Azure Local instance running software version 2405 or later.
- The machines in the system must be running the Azure Connected Machine agent version 1.40 or later.
Enable Arc gateway for existing Azure Local deployments
The following steps are required to enable the Azure Arc gateway on existing Azure Local 2405 deployments.
- Create the Arc gateway resource in Azure (prerequisite).
- Associate the Arc gateway resource with your existing Azure Local instance.
- Update Arc agent configuration on each deployed Azure Local machine to use the Arc gateway ID.
- Await reconciliation.
- Verify that supported endpoints are redirected through the Arc gateway.
Step 1: Associate the Arc gateway resource with your existing Azure Local instance
Run the following az commands from a remote computer with internet access. You can use the same computer you used to create the Arc gateway resource in Azure. It isn't supported to run these commands from the Azure Local machines.
[Optional step] Download the az connectedmachine.whl file extension if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.
[Optional step] Install the Azure Command Line Interface (CLI) if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.
[Optional step] Run the following command to add the az connected machine extension if you're using a different computer than the one you used to create the Arc gateway resource in Azure. Otherwise you can omit this step.
az extension add --allow-preview true --yes --source [whl file path]
Associate each existing machine in the system with the Arc gateway resource. Run the following command:
az connectedmachine setting update --resource-group [res-group] --subscription [subscription name] --base-provider Microsoft.HybridCompute --base-resource-type machines --base-resource-name [Arc server resource name] --settings-resource-name default --gateway-resource-id [Full Arm resourceid]
Step 2: Update the machine to use the Arc gateway resource
Update each Azure Local machine in the system to use the Arc gateway resource. Run the following command locally on your Azure Local machines to set the Arc agents to start using the Arc gateway.
azcmagent config set connection.type gateway
Step 3: Await reconciliation
Await reconciliation. Once your machines have been updated to use the Arc gateway, some Azure Arc endpoints that were previously allowed in your proxy or firewalls, aren't needed any longer. Wait one hour before you begin removing endpoints from your firewall or proxy.
Next step is to verify that the setup was successful.
Step 4: Verify that setup succeeded
Once the deployment validation starts, connect to the first server node from your cluster and open the Arc gateway log to monitor which endpoints are being redirected to the Arc gateway and which ones keep using your firewall or proxy security solutions. You should find the Arc gateway sign in c:\programdata\AzureConnectedMAchineAgent\Log\arcproxy.log.
To check the Arc agent configuration and verify that it is using the gateway, connect to the Azure Local machine.
Run the following command:
"c:\program files\AzureConnectedMachineAgent>.\azcmagent show"
. The result should show the following values:- Agent Version should show as
1.40
or later. - Agent Status should show as
Connected
. - Using HTTPS Proxy is empty when Arc gateway isn't in use. It should show as
http://localhost:40343
when the Arc gateway is enabled. - Upstream Proxy always shows as empty for Azure Local as it uses the environment variables to configure the Arc agent.
- Upstream Proxy Bypass List should show your bypass list.
- Azure Arc Proxy (arcproxy) shows as
Stopped
when Arc gateway isn't in use and shows asRunning
when Arc gateway is enabled.
- Agent Version should show as
Verify that setup was successful by running the
"c:\program files\AzureConnectedMachineAgent>.\azcmagent check"
command. The result should show the following values:connection.type should show as
gateway
.Reachable column should list
true
for all URLs.
Troubleshooting
You can audit Arc gateway traffic by viewing the gateway router logs.
Follow these steps to view the logs:
Run the
azcmagent logs
command.In the resulting .zip file, view the logs in the C:\ProgramData\Microsoft\ArcGatewayRouter folder.
Next steps
Deploy workloads on your Azure Local instance: