Breyta

Deila með


Support matrix for Azure Arc-enabled VMware vSphere

This article documents the prerequisites and support requirements for using Azure Arc-enabled VMware vSphere to manage your VMware vSphere VMs through Azure Arc.

To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.

VMware vSphere requirements

The following requirements must be met in order to use Azure Arc-enabled VMware vSphere.

Supported vCenter Server versions

Azure Arc-enabled VMware vSphere works with vCenter Server versions 7 and 8.

Note

Azure Arc-enabled VMware vSphere currently supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it's not recommended to use Arc-enabled VMware vSphere with it at this point.

Required vSphere account privileges

You need a vSphere account that can:

  • Read all inventory.
  • Deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.

Important

As part of the Azure Arc-enabled VMware onboarding script, you will be prompted to provide a vSphere account to deploy the Azure Arc resouce bridge VM on the ESXi host. This account will be stored locally within the Azure Arc resource bridge VM and encrypted as a Kubernetes secret at rest. The vSphere account allows Azure Arc-enabled VMware to interact with VMware vSphere. If your organization practices routine credential rotation, you must update the credentials in Azure Arc-enabled VMware to maintain the connection between Azure Arc-enabled VMware and VMware vSphere.

Resource bridge resource requirements

For Arc-enabled VMware vSphere, resource bridge has the following minimum virtual hardware requirements:

  • 8 GB of memory
  • 4 vCPUs
  • An external virtual switch that can provide access to the internet directly or through a proxy. If internet access is through a proxy or firewall, ensure these URLs are allow-listed.

Resource bridge networking requirements

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.

The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:

Outbound connectivity requirements

The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

Firewall/Proxy URL allowlist

Service Port URL Direction Notes
SFS API endpoint 443 msk8s.api.cdp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download product catalog, product bits, and OS images from SFS.
Resource bridge (appliance) image download 443 msk8s.sb.tlu.dl.delivery.mp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download the Arc Resource Bridge OS images.
Microsoft Container Registry 443 mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Discover container images for Arc Resource Bridge.
Microsoft Container Registry 443 *.data.mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download container images for Arc Resource Bridge.
Windows NTP Server 123 time.windows.com Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP OS time sync in appliance VM & Management machine (Windows NTP).
Azure Resource Manager 443 management.azure.com Management machine & Appliance VM IPs need outbound connection. Manage resources in Azure.
Microsoft Graph 443 graph.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required for Azure RBAC.
Azure Resource Manager 443 login.microsoftonline.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 *.login.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 login.windows.net Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Resource bridge (appliance) Dataplane service 443 *.dp.prod.appliances.azure.com Appliance VMs IP need outbound connection. Communicate with resource provider in Azure.
Resource bridge (appliance) container image download 443 *.blob.core.windows.net, ecpacr.azurecr.io Appliance VM IPs need outbound connection. Required to pull container images.
Managed Identity 443 *.his.arc.azure.com Appliance VM IPs need outbound connection. Required to pull system-assigned Managed Identity certificates.
Azure Arc for Kubernetes container image download 443 azurearcfork8s.azurecr.io Appliance VM IPs need outbound connection. Pull container images.
Azure Arc agent 443 k8connecthelm.azureedge.net Appliance VM IPs need outbound connection. deploy Azure Arc agent.
ADHS telemetry service 443 adhs.events.data.microsoft.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data from appliance VM.
Microsoft events data service 443 v20.events.data.microsoft.com Appliance VM IPs need outbound connection. Send diagnostic data from Windows.
Log collection for Arc Resource Bridge 443 linuxgeneva-microsoft.azurecr.io Appliance VM IPs need outbound connection. Push logs for Appliance managed components.
Resource bridge components download 443 kvamanagementoperator.azurecr.io Appliance VM IPs need outbound connection. Pull artifacts for Appliance managed components.
Microsoft open source packages manager 443 packages.microsoft.com Appliance VM IPs need outbound connection. Download Linux installation package.
Custom Location 443 sts.windows.net Appliance VM IPs need outbound connection. Required for Custom Location.
Azure Arc 443 guestnotificationservice.azure.com Appliance VM IPs need outbound connection. Required for Azure Arc.
Custom Location 443 k8sconnectcsp.azureedge.net Appliance VM IPs need outbound connection. Required for Custom Location.
Diagnostic data 443 gcs.prod.monitoring.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.microsoftmetrics.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.hot.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.warm.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Azure portal 443 *.arc.azure.net Appliance VM IPs need outbound connection. Manage cluster from Azure portal.
Azure CLI & Extension 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer and extension.
Azure Arc Agent 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Dataplane used for Arc agent.
Python package 443 pypi.org, *.pypi.org Management machine needs outbound connection. Validate Kubernetes and Python versions.
Azure CLI 443 pythonhosted.org, *.pythonhosted.org Management machine needs outbound connection.  Python packages for Azure CLI installation.

Inbound connectivity requirements

Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.

Service Port IP/machine Direction Notes
SSH 22 appliance VM IPs and Management machine Bidirectional Used for deploying and maintaining the appliance VM.
Kubernetes API server 6443 appliance VM IPs and Management machine Bidirectional  Management of the appliance VM.
SSH 22 control plane IP and Management machine Bidirectional Used for deploying and maintaining the appliance VM.
Kubernetes API server 6443 control plane IP and Management machine Bidirectional  Management of the appliance VM.
HTTPS 443 private cloud control plane address and Management machine Management machine needs outbound connection.  Communication with control plane (ex: VMware vCenter address).

In addition, VMware VSphere requires the following:

Service Port URL Direction Notes
vCenter Server 443 URL of the vCenter server Appliance VM IP and control plane endpoint need outbound connection. Used to by the vCenter server to communicate with the Appliance VM and the control plane.
VMware Cluster Extension 443 azureprivatecloud.azurecr.io Appliance VM IPs need outbound connection. Pull container images for Microsoft.VMWare and Microsoft.AVS Cluster Extension.
Azure CLI and Azure CLI Extensions 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer and Azure CLI extensions.
Azure Resource Manager 443 management.azure.com Management machine needs outbound connection. Required to create/update resources in Azure using ARM.
Helm Chart for Azure Arc Agents 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Data plane endpoint for downloading the configuration information of Arc agents.
Azure CLI 443 - login.microsoftonline.com

- aka.ms
Management machine needs outbound connection. Required to fetch and update Azure Resource Manager tokens.

For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).

Azure role/permission requirements

The minimum Azure roles required for operations related to Arc-enabled VMware vSphere are as follows:

Operation Minimum role required Scope
Onboarding your vCenter Server to Arc Azure Arc VMware Private Clouds Onboarding On the subscription or resource group into which you want to onboard
Administering Arc-enabled VMware vSphere Azure Arc VMware Administrator On the subscription or resource group where vCenter server resource is created
VM Provisioning Azure Arc VMware Private Cloud User On the subscription or resource group that contains the resource pool/cluster/host, datastore and virtual network resources, or on the resources themselves
VM Provisioning Azure Arc VMware VM Contributor On the subscription or resource group where you want to provision VMs
VM Operations Azure Arc VMware VM Contributor On the subscription or resource group that contains the VM, or on the VM itself

Any roles with higher permissions on the same scope, such as Owner or Contributor, will also allow you to perform the operations listed above.

Guest management (Arc agent) requirements

With Arc-enabled VMware vSphere, you can install the Arc connected machine agent on your VMs at scale and use Azure management services on the VMs. There are additional requirements for this capability.

To enable guest management (install the Arc connected machine agent), ensure the following:

  • VM is powered on.
  • VM has VMware tools installed and running.
  • Resource bridge has access to the host on which the VM is running.
  • VM is running a supported operating system.
  • VM has internet connectivity directly or through proxy. If the connection is through a proxy, ensure these URLs are allow-listed.

Additionally, be sure that the requirements below are met in order to enable guest management.

Supported operating systems

Make sure you're using a version of the Windows or Linux operating systems that are officially supported for the Azure Connected Machine agent. Only x86-64 (64-bit) architectures are supported. x86 (32-bit) and ARM-based architectures, including x86-64 emulation on arm64, aren't supported operating environments.

Software requirements

Windows operating systems:

Linux operating systems:

  • systemd
  • wget (to download the installation script)

Networking requirements

The following firewall URL exceptions are needed for the Azure Arc agents:

URL Description
aka.ms Used to resolve the download script during installation
packages.microsoft.com Used to download the Linux installation package
download.microsoft.com Used to download the Windows installation package
login.windows.net Microsoft Entra ID
login.microsoftonline.com Microsoft Entra ID
pas.windows.net Microsoft Entra ID
management.azure.com Azure Resource Manager - to create or delete the Arc server resource
*.his.arc.azure.com Metadata and hybrid identity services
*.guestconfiguration.azure.com Extension management and guest configuration services
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com Notification service for extension and connectivity scenarios
azgn*.servicebus.windows.net Notification service for extension and connectivity scenarios
*.servicebus.windows.net For Windows Admin Center and SSH scenarios
*.blob.core.windows.net Download source for Azure Arc-enabled servers extensions
dc.services.visualstudio.com Agent telemetry

Next steps