Edit

Share via


Simplify network configuration requirements with Azure Arc gateway (preview)

If you use enterprise proxies to manage outbound traffic, the Azure Arc gateway lets you onboard infrastructure to Azure Arc using only seven endpoints. With Azure Arc gateway, you can:

  • Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
  • View and audit all traffic an Azure Connected Machine agent sends to Azure via the Arc gateway.

This article explains how to set up and use Arc gateway (preview).

Important

The Arc gateway feature for Azure Arc-enabled servers is currently in Public Preview in all regions where Azure Arc-enabled servers is present. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, Public Preview, or otherwise not yet released into general availability.

How the Azure Arc gateway works

Azure Arc gateway consists of two main components:

  • Arc gateway resource: An Azure resource that serves as a common front-end for Azure traffic. This gateway resource is served on a specific domain. Once the Arc gateway resource is created, the domain is returned to you in the success response.

  • Arc proxy: A new component added to the Azure Arc agents. This component runs within the context of an Arc-enabled resource as a service called "Azure Arc Proxy". It acts as a forward proxy used by the Azure Arc agents and extensions. No configuration is required on your part for this proxy.

When the gateway is in place, traffic flows via the following hops: Arc agents → Arc proxy → Enterprise proxy → Arc gateway → Target service.

Diagram showing the route of traffic flow for Azure Arc gateway.

To download architecture diagrams in high resolution, visit Jumpstart Gems.

Current limitations

During the public preview, the following limitations apply. Consider these factors when planning your configuration.

  • TLS Terminating Proxies aren't supported.
  • ExpressRoute/Site-to-Site VPN or private endpoints used with the Arc gateway aren't supported.
  • Proxy bypass isn't supported when Arc gateway is in use; even if you attempt to use the feature by running azcmagent config set proxy.bypass, traffic won't bypass the proxy.
  • There's a limit of five (5) Arc gateway resources per Azure subscription.
  • Arc gateway can only be used for connectivity in the Azure public cloud.

Required permissions

To create Arc gateway resources and manage their association with Arc-enabled servers, the following permissions are required:

  • Microsoft.HybridCompute/settings/write
  • Microsoft.hybridcompute/gateways/read
  • Microsoft.hybridcompute/gateways/write

Create the Arc gateway resource

You can create an Arc gateway (preview) resource by using the Azure portal, Azure CLI, or Azure PowerShell. It generally takes about 10 minutes to create the Arc gateway resource after you complete these steps.

  1. From your browser, sign in to the Azure portal.

  2. Navigate to Azure Arc. In the service menu, under Management, select Azure Arc gateway (preview), then select Create.

  3. Select the subscription and resource group where you want the Arc gateway resource to be managed within Azure. An Arc gateway resource can be used by any Arc-enabled resource in the same Azure tenant.

  4. For Name, input the name that for the Arc gateway resource.

  5. For Location, input the region where the Arc gateway resource should live. An Arc gateway resource can be used by any Arc-enabled Resource in the same Azure tenant.

  6. Select Next.

  7. On the Tags page, optionally specify one or more custom tags to support your standards.

  8. Select Review + create.

  9. Review your input details, and then select Create.

Confirm access to required URLs

After the resource is created successfully, the success response will include the Arc gateway URL. Ensure your Arc gateway URL and all of these URLs are allowed in the environment where your Arc resources live.

URL Purpose
[Your URL Prefix].gw.arc.azure.com Your gateway URL (obtained by running az arcgateway list after you create your gateway resource)
management.azure.com Azure Resource Manager endpoint, required for Azure Resource Manager control channel
login.microsoftonline.com Microsoft Entra ID endpoint for acquiring identity access tokens
gbl.his.arc.azure.com The cloud service endpoint for communicating with Azure Arc agents
\<region\>.his.arc.azure.com Used for Arc's core control channel
packages.microsoft.com Required to connect Linux servers to Arc

Onboard new Azure Arc resources with your Arc gateway resource

  1. Generate the installation script.

    Follow the instructions at Quickstart: Connect hybrid machines with Azure Arc-enabled servers to create a script that automates the downloading and installation of the Azure Connected Machine agent and establishes the connection with Azure Arc.

    Important

    When generating the onboarding script, select the Gateway resource in the Connectivity method section.

  2. Run the installation script to onboard your servers to Azure Arc.

    In the script, the Arc gateway resource's ARM ID is shown as --gateway-id.

Configure existing Azure Arc resources to use Arc gateway

You can associate existing Azure Arc resources with an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell.

  1. In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).

  2. Select the Arc gateway resource to associate with your Arc-enabled server.

  3. In the service menu for your gateway resource, select Associated resources.

  4. Select Add.

  5. Select the Arc-enabled server resource to associate with your Arc gateway resource.

  6. Select Apply.

With 1.50 or earlier of the Connected Machine agent, you must also run azcmagent config set connection.type gateway to update your Arc-enabled server to use Arc gateway. For agent versions 1.51 and later, this step isn't required, as the operation happens automatically. We recommend using the latest version of the Connected Machine agent.

Verify successful Arc gateway set-up

On the onboarded server, run the following command: azcmagent show

The result should indicate the following values:

  • Agent Status should show as Connected.
  • Using HTTPS Proxy should show as http://localhost:40343.
  • Upstream Proxy should show as your enterprise proxy (if you set one). Gateway URL should reflect your gateway resource's URL.

Additionally, to verify successful set-up, run the following command: azcmagent check

The result should indicate that the connection.type is set to gateway, and the Reachable column should indicate true for all URLs.

Remove Arc gateway association

You can disable Arc gateway and remove the association between the Arc gateway resource and the Arc-enabled cluster. This results in the Arc-enabled cluster using direct traffic instead.

Note

This operation only applies to Azure Arc gateway on Azure Arc-enabled servers, not Azure Local. If you're using Azure Arc gateway on Azure Local, see About Azure Arc gateway for Azure Local for removal information.

  1. Set the connection type of the Arc-enabled Server to "direct" instead of "gateway" by running the following command:

    azcmagent config set connection.type direct

    Note

    If you take this step, all Azure Arc network requirements must be met in your environment to continue using Azure Arc.

  2. Detach the Arc gateway resource from the machine:

    1. In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).

    2. Select the Arc gateway Resource.

    3. In the service menu for your gateway resource, select Associated resources.

    4. Select the server.

    5. Select Remove.


Delete an Arc gateway resource

You can delete an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell. This operation may take up to 5 minutes to complete.

  1. In the Azure portal, go to the Azure Arc - Azure Arc gateway.

  2. Select the Arc gateway resource.

  3. Select Delete, then confirm the deletion.

Monitor traffic

You can audit your Arc gateway’s traffic by viewing the Azure Arc proxy logs.

To view Arc proxy logs on Windows:

  1. Run azcmagent logs in PowerShell.
  2. In the resulting .zip file, the arcproxy.log file is located in the ProgramData\AzureConnectedMachineAgent\Log folder.

To view Arc proxy logs on Linux:

  1. Run sudo azcmagent logs.
  2. In the resulting .zip file, the arcproxy.log file is located in the /var/opt/azcmagent/log/ folder.

Additional scenarios

During public preview, Arc gateway covers the endpoints required for onboarding a server, plus endpoints to support several additional Arc-enabled scenarios. Based on the scenarios you adopt, you may need to allow additional endpoints in your proxy.

Scenarios that don’t require additional endpoints

  • Windows Admin Center
  • SSH
  • Extended Security Updates
  • Azure Extension for SQL Server

Scenarios that require additional endpoints

Endpoints listed with the following scenarios must be allowed in your enterprise proxy when using Arc gateway:

  • Azure Arc-enabled Data Services

    • *.ods.opinsights.azure.com
    • *.oms.opinsights.azure.com
    • *.monitoring.azure.com
  • Azure Monitor Agent

    • \<log-analytics-workspace-id\>.ods.opinsights.azure.com
    • \<data-collection-endpoint\>.\<virtual-machine-region-name\>.ingest.monitor.azure.com
  • Azure Key Vault Certificate Sync

    • \<vault-name\>.vault.azure.net
  • Azure Automation Hybrid Runbook Worker extension

    • *.azure-automation.net
  • Windows OS Update Extension / Azure Update Manager

    • Your environment must meet all the prerequisites for Windows Update
  • Microsoft Defender

    • Your environment must meet all the prerequisites for Microsoft Defender