Breyta

Deila með


Azure Arc network requirements

This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.

Azure Arc-enabled Kubernetes endpoints

Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:

  • Azure Arc-enabled Kubernetes
  • Azure Arc-enabled App services
  • Azure Arc-enabled Machine Learning
  • Azure Arc-enabled data services (direct connectivity mode only)

Important

Azure Arc agents require the following outbound URLs on https://:443 to function. For *.servicebus.windows.net, websockets need to be enabled for outbound access on firewall and proxy.

Endpoint (DNS) Description
https://management.azure.com Required for the agent to connect to Azure and register the cluster.
https://<region>.dp.kubernetesconfiguration.azure.com Data plane endpoint for the agent to push status and fetch configuration information.
https://login.microsoftonline.com
https://<region>.login.microsoft.com
login.windows.net
Required to fetch and update Azure Resource Manager tokens.
https://mcr.microsoft.com
https://*.data.mcr.microsoft.com
Required to pull container images for Azure Arc agents.
https://gbl.his.arc.azure.com Required to get the regional endpoint for pulling system-assigned Managed Identity certificates.
https://*.his.arc.azure.com Required to pull system-assigned Managed Identity certificates.
https://k8connecthelm.azureedge.net az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart.
guestnotificationservice.azure.com
*.guestnotificationservice.azure.com
sts.windows.net
https://k8sconnectcsp.azureedge.net
For Cluster Connect and for Custom Location based scenarios.
*.servicebus.windows.net For Cluster Connect and for Custom Location based scenarios.
https://graph.microsoft.com/ Required when Azure RBAC is configured.
*.arc.azure.net Required to manage connected clusters in Azure portal.
https://<region>.obo.arc.azure.com:8084/ Required when Cluster Connect is configured.
https://linuxgeneva-microsoft.azurecr.io Required if using Azure Arc-enabled Kubernetes extensions.

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command:

GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table
Get-AzLocation | Format-Table

For more information, see Azure Arc-enabled Kubernetes network requirements.

Azure Arc-enabled data services

This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.

Service Port URL Direction Notes
Helm chart (direct connected mode only) 443 arcdataservicesrow1.azurecr.io Outbound Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry.
Azure monitor APIs 1 443 *.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.monitoring.azure.com
Outbound Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See Azure Monitor APIs.
Azure Arc data processing service 1 443 *.<region>.arcdataservices.com 2 Outbound

1 Requirement depends on deployment mode:

  • For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service.
  • For indirect mode, the machine that runs az arcdata dc upload needs to have the outbound connectivity to Azure Monitor and Data Processing Service.

2 For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net.

Azure Monitor APIs

Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.

For more information, see Connectivity modes and requirements.

Azure Arc-enabled servers

Connectivity to Arc-enabled server endpoints is required for:

  • SQL Server enabled by Azure Arc

  • Azure Arc-enabled VMware vSphere *

  • Azure Arc-enabled System Center Virtual Machine Manager *

  • Azure Arc-enabled Azure Stack (HCI) *

    *Only required for guest management enabled.

Azure Arc-enabled server endpoints are required for all server based Arc offerings.

Networking configuration

The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.

To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .

Note

Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.

If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.

Service tags

Be sure to allow access to the following Service Tags:

For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags – Public Cloud. Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.

If you filter traffic to the AzureArcInfrastructure service tag, you must allow traffic to the full service tag range. The ranges advertised for individual regions, for example AzureArcInfrastructure.AustraliaEast, do not include the IP ranges used by global components of the service. The specific IP address resolved for these endpoints may change over time within the documented ranges, so just using a lookup tool to identify the current IP address for a given endpoint and allowing access to that will not be sufficient to ensure reliable access.

For more information, see Virtual network service tags.

URLs

The table below lists the URLs that must be available in order to install and use the Connected Machine agent.

Note

When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Private link capable column in the following table shows which endpoints can be configured with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function. Network traffic is routed through private endpoint if a private link scope is assigned.

Agent resource Description When required Private link capable
aka.ms Used to resolve the download script during installation At installation time, only Public
download.microsoft.com Used to download the Windows installation package At installation time, only Public
packages.microsoft.com Used to download the Linux installation package At installation time, only Public
login.microsoftonline.com Microsoft Entra ID Always Public
*login.microsoft.com Microsoft Entra ID Always Public
pas.windows.net Microsoft Entra ID Always Public
management.azure.com Azure Resource Manager - to create or delete the Arc server resource When connecting or disconnecting a server, only Public, unless a resource management private link is also configured
*.his.arc.azure.com Metadata and hybrid identity services Always Private
*.guestconfiguration.azure.com Extension management and guest configuration services Always Private
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com Notification service for extension and connectivity scenarios Always Public
azgn*.servicebus.windows.net Notification service for extension and connectivity scenarios Always Public
*.servicebus.windows.net For Windows Admin Center and SSH scenarios If using SSH or Windows Admin Center from Azure Public
*.waconazure.com For Windows Admin Center connectivity If using Windows Admin Center Public
*.blob.core.windows.net Download source for Azure Arc-enabled servers extensions Always, except when using private endpoints Not used when private link is configured
dc.services.visualstudio.com Agent telemetry Optional, not used in agent versions 1.24+ Public
*.<region>.arcdataservices.com 1 For Arc SQL Server. Sends data processing service, service telemetry, and performance monitoring to Azure. Allows TLS 1.3. Always Public
www.microsoft.com/pkiops/certs Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) If using ESUs enabled by Azure Arc. Required always for automatic updates, or temporarily if downloading certificates manually. Public

1 For details about what information is collected and sent, review Data collection and reporting for SQL Server enabled by Azure Arc.

For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net. Beginning with March 12, 2024 both Azure Arc data processing, and Azure Arc data telemetry use *.<region>.arcdataservices.com.

Note

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder. These endpoints may change periodically.

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table
Get-AzLocation | Format-Table

Transport Layer Security 1.2 protocol

To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.

Platform/Language Support More Information
Linux Linux distributions tend to rely on OpenSSL for TLS 1.2 support. Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows Server 2012 R2 and higher Supported, and enabled by default. To confirm that you are still using the default settings.

Subset of endpoints for ESU only

If you're using Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:

  • Windows Server 2012
  • SQL Server 2012

You can enable the following subset of endpoints:

Agent resource Description When required Endpoint used with private link
aka.ms Used to resolve the download script during installation At installation time, only Public
download.microsoft.com Used to download the Windows installation package At installation time, only Public
login.windows.net Microsoft Entra ID Always Public
login.microsoftonline.com Microsoft Entra ID Always Public
*login.microsoft.com Microsoft Entra ID Always Public
management.azure.com Azure Resource Manager - to create or delete the Arc server resource When connecting or disconnecting a server, only Public, unless a resource management private link is also configured
*.his.arc.azure.com Metadata and hybrid identity services Always Private
*.guestconfiguration.azure.com Extension management and guest configuration services Always Private
www.microsoft.com/pkiops/certs Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) Always for automatic updates, or temporarily if downloading certificates manually. Public
*.<region>.arcdataservices.com Azure Arc data processing service and service telemetry. SQL Server ESUs Public
*.blob.core.windows.net Download Sql Server Extension package SQL Server ESUs Not required if using Private Link

For more information, see Connected Machine agent network requirements.

Azure Arc resource bridge

This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere and Azure Arc-enabled System Center Virtual Machine Manager.

Outbound connectivity requirements

The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

Firewall/Proxy URL allowlist

Service Port URL Direction Notes
SFS API endpoint 443 msk8s.api.cdp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download product catalog, product bits, and OS images from SFS.
Resource bridge (appliance) image download 443 msk8s.sb.tlu.dl.delivery.mp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download the Arc Resource Bridge OS images.
Microsoft Container Registry 443 mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Discover container images for Arc Resource Bridge.
Microsoft Container Registry 443 *.data.mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download container images for Arc Resource Bridge.
Windows NTP Server 123 time.windows.com Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP OS time sync in appliance VM & Management machine (Windows NTP).
Azure Resource Manager 443 management.azure.com Management machine & Appliance VM IPs need outbound connection. Manage resources in Azure.
Microsoft Graph 443 graph.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required for Azure RBAC.
Azure Resource Manager 443 login.microsoftonline.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 *.login.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 login.windows.net Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Resource bridge (appliance) Dataplane service 443 *.dp.prod.appliances.azure.com Appliance VMs IP need outbound connection. Communicate with resource provider in Azure.
Resource bridge (appliance) container image download 443 *.blob.core.windows.net, ecpacr.azurecr.io Appliance VM IPs need outbound connection. Required to pull container images.
Managed Identity 443 *.his.arc.azure.com Appliance VM IPs need outbound connection. Required to pull system-assigned Managed Identity certificates.
Azure Arc for Kubernetes container image download 443 azurearcfork8s.azurecr.io Appliance VM IPs need outbound connection. Pull container images.
Azure Arc agent 443 k8connecthelm.azureedge.net Appliance VM IPs need outbound connection. deploy Azure Arc agent.
ADHS telemetry service 443 adhs.events.data.microsoft.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data from appliance VM.
Microsoft events data service 443 v20.events.data.microsoft.com Appliance VM IPs need outbound connection. Send diagnostic data from Windows.
Log collection for Arc Resource Bridge 443 linuxgeneva-microsoft.azurecr.io Appliance VM IPs need outbound connection. Push logs for Appliance managed components.
Resource bridge components download 443 kvamanagementoperator.azurecr.io Appliance VM IPs need outbound connection. Pull artifacts for Appliance managed components.
Microsoft open source packages manager 443 packages.microsoft.com Appliance VM IPs need outbound connection. Download Linux installation package.
Custom Location 443 sts.windows.net Appliance VM IPs need outbound connection. Required for Custom Location.
Azure Arc 443 guestnotificationservice.azure.com Appliance VM IPs need outbound connection. Required for Azure Arc.
Custom Location 443 k8sconnectcsp.azureedge.net Appliance VM IPs need outbound connection. Required for Custom Location.
Diagnostic data 443 gcs.prod.monitoring.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.microsoftmetrics.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.hot.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.warm.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Azure portal 443 *.arc.azure.net Appliance VM IPs need outbound connection. Manage cluster from Azure portal.
Azure CLI & Extension 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer and extension.
Azure Arc Agent 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Dataplane used for Arc agent.
Python package 443 pypi.org, *.pypi.org Management machine needs outbound connection. Validate Kubernetes and Python versions.
Azure CLI 443 pythonhosted.org, *.pythonhosted.org Management machine needs outbound connection.  Python packages for Azure CLI installation.

Inbound connectivity requirements

Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.

Service Port IP/machine Direction Notes
SSH 22 appliance VM IPs and Management machine Bidirectional Used for deploying and maintaining the appliance VM.
Kubernetes API server 6443 appliance VM IPs and Management machine Bidirectional  Management of the appliance VM.
SSH 22 control plane IP and Management machine Bidirectional Used for deploying and maintaining the appliance VM.
Kubernetes API server 6443 control plane IP and Management machine Bidirectional  Management of the appliance VM.
HTTPS 443 private cloud control plane address and Management machine Management machine needs outbound connection.  Communication with control plane (ex: VMware vCenter address).

For more information, see Azure Arc resource bridge network requirements.

Azure Arc-enabled VMware vSphere

Azure Arc-enabled VMware vSphere also requires:

Service Port URL Direction Notes
vCenter Server 443 URL of the vCenter server Appliance VM IP and control plane endpoint need outbound connection. Used to by the vCenter server to communicate with the Appliance VM and the control plane.
VMware Cluster Extension 443 azureprivatecloud.azurecr.io Appliance VM IPs need outbound connection. Pull container images for Microsoft.VMWare and Microsoft.AVS Cluster Extension.
Azure CLI and Azure CLI Extensions 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer and Azure CLI extensions.
Azure Resource Manager 443 management.azure.com Management machine needs outbound connection. Required to create/update resources in Azure using ARM.
Helm Chart for Azure Arc Agents 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Data plane endpoint for downloading the configuration information of Arc agents.
Azure CLI 443 - login.microsoftonline.com

- aka.ms
Management machine needs outbound connection. Required to fetch and update Azure Resource Manager tokens.

For more information, see Support matrix for Azure Arc-enabled VMware vSphere.

Azure Arc-enabled System Center Virtual Machine Manager

Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:

Service Port URL Direction Notes
SCVMM management Server 443 URL of the SCVMM management server Appliance VM IP and control plane endpoint need outbound connection. Used by the SCVMM server to communicate with the Appliance VM and the control plane.

For more information, see Overview of Arc-enabled System Center Virtual Machine Manager.

Additional endpoints

Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints: