Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you use enterprise proxies to manage outbound traffic, the Azure Arc gateway lets you onboard infrastructure to Azure Arc using only seven endpoints. With Azure Arc gateway, you can:
- Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
- View and audit all traffic an Azure Connected Machine agent sends to Azure via the Arc gateway.
This article explains how to set up and use Arc gateway (preview).
Important
The Arc gateway feature for Azure Arc-enabled servers is currently in Public Preview in all regions where Azure Arc-enabled servers is present. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, Public Preview, or otherwise not yet released into general availability.
How the Azure Arc gateway works
Azure Arc gateway consists of two main components:
Arc gateway resource: An Azure resource that serves as a common front-end for Azure traffic. This gateway resource is served on a specific domain. Once the Arc gateway resource is created, the domain is returned to you in the success response.
Arc proxy: A new component added to the Azure Arc agents. This component runs within the context of an Arc-enabled resource as a service called "Azure Arc Proxy". It acts as a forward proxy used by the Azure Arc agents and extensions. No configuration is required on your part for this proxy.
When the gateway is in place, traffic flows via the following hops: Arc agents → Arc proxy → Enterprise proxy → Arc gateway → Target service.
To download architecture diagrams in high resolution, visit Jumpstart Gems.
Current limitations
During the public preview, the following limitations apply. Consider these factors when planning your configuration.
- TLS Terminating Proxies aren't supported.
- ExpressRoute/Site-to-Site VPN or private endpoints used with the Arc gateway aren't supported.
- Proxy bypass isn't supported when Arc gateway is in use; even if you attempt to use the feature by running
azcmagent config set proxy.bypass
, traffic won't bypass the proxy. - There's a limit of five (5) Arc gateway resources per Azure subscription.
- Arc gateway can only be used for connectivity in the Azure public cloud.
Required permissions
To create Arc gateway resources and manage their association with Arc-enabled servers, the following permissions are required:
- Microsoft.HybridCompute/settings/write
- Microsoft.hybridcompute/gateways/read
- Microsoft.hybridcompute/gateways/write
Create the Arc gateway resource
You can create an Arc gateway (preview) resource by using the Azure portal, Azure CLI, or Azure PowerShell. It generally takes about 10 minutes to create the Arc gateway resource after you complete these steps.
From your browser, sign in to the Azure portal.
Navigate to Azure Arc. In the service menu, under Management, select Azure Arc gateway (preview), then select Create.
Select the subscription and resource group where you want the Arc gateway resource to be managed within Azure. An Arc gateway resource can be used by any Arc-enabled resource in the same Azure tenant.
For Name, input the name that for the Arc gateway resource.
For Location, input the region where the Arc gateway resource should live. An Arc gateway resource can be used by any Arc-enabled Resource in the same Azure tenant.
Select Next.
On the Tags page, optionally specify one or more custom tags to support your standards.
Select Review + create.
Review your input details, and then select Create.
Confirm access to required URLs
After the resource is created successfully, the success response will include the Arc gateway URL. Ensure your Arc gateway URL and all of these URLs are allowed in the environment where your Arc resources live.
URL | Purpose |
---|---|
[Your URL Prefix].gw.arc.azure.com |
Your gateway URL (obtained by running az arcgateway list after you create your gateway resource) |
management.azure.com |
Azure Resource Manager endpoint, required for Azure Resource Manager control channel |
login.microsoftonline.com |
Microsoft Entra ID endpoint for acquiring identity access tokens |
gbl.his.arc.azure.com |
The cloud service endpoint for communicating with Azure Arc agents |
\<region\>.his.arc.azure.com |
Used for Arc's core control channel |
packages.microsoft.com |
Required to connect Linux servers to Arc |
Onboard new Azure Arc resources with your Arc gateway resource
Generate the installation script.
Follow the instructions at Quickstart: Connect hybrid machines with Azure Arc-enabled servers to create a script that automates the downloading and installation of the Azure Connected Machine agent and establishes the connection with Azure Arc.
Important
When generating the onboarding script, select the Gateway resource in the Connectivity method section.
Run the installation script to onboard your servers to Azure Arc.
In the script, the Arc gateway resource's ARM ID is shown as
--gateway-id
.
Configure existing Azure Arc resources to use Arc gateway
You can associate existing Azure Arc resources with an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell.
In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).
Select the Arc gateway resource to associate with your Arc-enabled server.
In the service menu for your gateway resource, select Associated resources.
Select Add.
Select the Arc-enabled server resource to associate with your Arc gateway resource.
Select Apply.
With 1.50 or earlier of the Connected Machine agent, you must also run azcmagent config set connection.type gateway
to update your Arc-enabled server to use Arc gateway. For agent versions 1.51 and later, this step isn't required, as the operation happens automatically. We recommend using the latest version of the Connected Machine agent.
Verify successful Arc gateway set-up
On the onboarded server, run the following command: azcmagent show
The result should indicate the following values:
- Agent Status should show as Connected.
- Using HTTPS Proxy should show as
http://localhost:40343
. - Upstream Proxy should show as your enterprise proxy (if you set one). Gateway URL should reflect your gateway resource's URL.
Additionally, to verify successful set-up, run the following command: azcmagent check
The result should indicate that the connection.type
is set to gateway, and the Reachable column should indicate true for all URLs.
Remove Arc gateway association
You can disable Arc gateway and remove the association between the Arc gateway resource and the Arc-enabled cluster. This results in the Arc-enabled cluster using direct traffic instead.
Note
This operation only applies to Azure Arc gateway on Azure Arc-enabled servers, not Azure Local. If you're using Azure Arc gateway on Azure Local, see About Azure Arc gateway for Azure Local for removal information.
Set the connection type of the Arc-enabled Server to "direct" instead of "gateway" by running the following command:
azcmagent config set connection.type direct
Note
If you take this step, all Azure Arc network requirements must be met in your environment to continue using Azure Arc.
Detach the Arc gateway resource from the machine:
In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).
Select the Arc gateway Resource.
In the service menu for your gateway resource, select Associated resources.
Select the server.
Select Remove.
Delete an Arc gateway resource
You can delete an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell. This operation may take up to 5 minutes to complete.
In the Azure portal, go to the Azure Arc - Azure Arc gateway.
Select the Arc gateway resource.
Select Delete, then confirm the deletion.
Monitor traffic
You can audit your Arc gateway’s traffic by viewing the Azure Arc proxy logs.
To view Arc proxy logs on Windows:
- Run
azcmagent logs
in PowerShell. - In the resulting .zip file, the
arcproxy.log
file is located in theProgramData\AzureConnectedMachineAgent\Log
folder.
To view Arc proxy logs on Linux:
- Run
sudo azcmagent logs
. - In the resulting .zip file, the
arcproxy.log
file is located in the/var/opt/azcmagent/log/
folder.
Additional scenarios
During public preview, Arc gateway covers the endpoints required for onboarding a server, plus endpoints to support several additional Arc-enabled scenarios. Based on the scenarios you adopt, you may need to allow additional endpoints in your proxy.
Scenarios that don’t require additional endpoints
- Windows Admin Center
- SSH
- Extended Security Updates
- Azure Extension for SQL Server
Scenarios that require additional endpoints
Endpoints listed with the following scenarios must be allowed in your enterprise proxy when using Arc gateway:
Azure Arc-enabled Data Services
*.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.monitoring.azure.com
Azure Monitor Agent
\<log-analytics-workspace-id\>.ods.opinsights.azure.com
\<data-collection-endpoint\>.\<virtual-machine-region-name\>.ingest.monitor.azure.com
Azure Key Vault Certificate Sync
\<vault-name\>.vault.azure.net
Azure Automation Hybrid Runbook Worker extension
*.azure-automation.net
Windows OS Update Extension / Azure Update Manager
- Your environment must meet all the prerequisites for Windows Update
Microsoft Defender
- Your environment must meet all the prerequisites for Microsoft Defender