Simplify network configuration requirements with Azure Arc gateway (preview)

2025-06-25

If you use enterprise proxies to manage outbound traffic, the Azure Arc gateway lets you onboard infrastructure to Azure Arc using only seven endpoints. With Azure Arc gateway, you can:

Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
View and audit all traffic an Azure Connected Machine agent sends to Azure via the Arc gateway.

This article explains how to set up and use Arc gateway (preview).

Important

The Arc gateway feature for Azure Arc-enabled servers is currently in Public Preview in all regions where Azure Arc-enabled servers is present. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, Public Preview, or otherwise not yet released into general availability.

How the Azure Arc gateway works

Azure Arc gateway consists of two main components:

Arc gateway resource: An Azure resource that serves as a common front-end for Azure traffic. This gateway resource is served on a specific domain. Once the Arc gateway resource is created, the domain is returned to you in the success response.
Arc proxy: A new component added to the Azure Arc agents. This component runs within the context of an Arc-enabled resource as a service called "Azure Arc Proxy". It acts as a forward proxy used by the Azure Arc agents and extensions. No configuration is required on your part for this proxy.

When the gateway is in place, traffic flows via the following hops: Arc agents → Arc proxy → Enterprise proxy → Arc gateway → Target service.

To download architecture diagrams in high resolution, visit Jumpstart Gems.

Current limitations

During the public preview, the following limitations apply. Consider these factors when planning your configuration.

TLS Terminating Proxies aren't supported.
ExpressRoute/Site-to-Site VPN or private endpoints used with the Arc gateway aren't supported.
Proxy bypass isn't supported when Arc gateway is in use; even if you attempt to use the feature by running azcmagent config set proxy.bypass, traffic won't bypass the proxy.
There's a limit of five (5) Arc gateway resources per Azure subscription.
Arc gateway can only be used for connectivity in the Azure public cloud.

Required permissions

To create Arc gateway resources and manage their association with Arc-enabled servers, the following permissions are required:

Microsoft.HybridCompute/settings/write
Microsoft.hybridcompute/gateways/read
Microsoft.hybridcompute/gateways/write

Create the Arc gateway resource

You can create an Arc gateway (preview) resource by using the Azure portal, Azure CLI, or Azure PowerShell. It generally takes about 10 minutes to create the Arc gateway resource after you complete these steps.

From your browser, sign in to the Azure portal.
Navigate to Azure Arc. In the service menu, under Management, select Azure Arc gateway (preview), then select Create.
Select the subscription and resource group where you want the Arc gateway resource to be managed within Azure. An Arc gateway resource can be used by any Arc-enabled resource in the same Azure tenant.
For Name, input the name that for the Arc gateway resource.
For Location, input the region where the Arc gateway resource should live. An Arc gateway resource can be used by any Arc-enabled Resource in the same Azure tenant.
Select Next.
On the Tags page, optionally specify one or more custom tags to support your standards.
Select Review + create.
Review your input details, and then select Create.

Add the Arc gateway extension to your Azure CLI:

az extension add -n arcgateway

On a machine with access to Azure, run the following commands to create your Arc gateway resource:

az arcgateway create `
    --gateway-name [Your gateway’s Name] `
    --resource-group <Your Resource Group> `
    --location [Location]

On a machine with access to Azure, run the following PowerShell command to create your Arc gateway resource:

    New-AzArcgateway `
        -name <gateway’s name> `
        -resource-group <resource group> `
        -location <region> `
        -subscription <subscription name or id> `
        -gateway-type public

Confirm access to required URLs

After the resource is created successfully, the success response will include the Arc gateway URL. Ensure your Arc gateway URL and all of these URLs are allowed in the environment where your Arc resources live.

URL	Purpose
`[Your URL Prefix].gw.arc.azure.com`	Your gateway URL (obtained by running `az arcgateway list` after you create your gateway resource)
`management.azure.com`	Azure Resource Manager endpoint, required for Azure Resource Manager control channel
`login.microsoftonline.com`	Microsoft Entra ID endpoint for acquiring identity access tokens
`gbl.his.arc.azure.com`	The cloud service endpoint for communicating with Azure Arc agents
`\<region\>.his.arc.azure.com`	Used for Arc's core control channel
`packages.microsoft.com`	Required to connect Linux servers to Arc

Onboard new Azure Arc resources with your Arc gateway resource

Generate the installation script.

Follow the instructions at Quickstart: Connect hybrid machines with Azure Arc-enabled servers to create a script that automates the downloading and installation of the Azure Connected Machine agent and establishes the connection with Azure Arc.

Important

When generating the onboarding script, select the Gateway resource in the Connectivity method section.
Run the installation script to onboard your servers to Azure Arc.

In the script, the Arc gateway resource's ARM ID is shown as --gateway-id.

Configure existing Azure Arc resources to use Arc gateway

You can associate existing Azure Arc resources with an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell.

In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).
Select the Arc gateway resource to associate with your Arc-enabled server.
In the service menu for your gateway resource, select Associated resources.
Select Add.
Select the Arc-enabled server resource to associate with your Arc gateway resource.
Select Apply.

On a machine with access to Azure, run the following commands:

az arcgateway settings update `
   --resource-group <resource_group> `
   --subscription <subscription_name> `
   --base-provider Microsoft.HybridCompute `
   --base-resource-type machines `
   --base-resource-name <server_name> `
   --gateway-resource-id <gateway_resource_id>

On a machine with access to Azure, run the following commands:

Update-AzArcSetting `
    -ResourceGroupName <Resource Group> `
    -SubscriptionId <Subscription ID> `
    -BaseProvider Microsoft.HybridCompute `
    -BaseResourceType machine `
    -BaseResourceName <Server Name> `
    -GatewayResourceId <resource ID>

With 1.50 or earlier of the Connected Machine agent, you must also run azcmagent config set connection.type gateway to update your Arc-enabled server to use Arc gateway. For agent versions 1.51 and later, this step isn't required, as the operation happens automatically. We recommend using the latest version of the Connected Machine agent.

Verify successful Arc gateway set-up

On the onboarded server, run the following command: azcmagent show

The result should indicate the following values:

Agent Status should show as Connected.
Using HTTPS Proxy should show as http://localhost:40343.
Upstream Proxy should show as your enterprise proxy (if you set one). Gateway URL should reflect your gateway resource's URL.

Additionally, to verify successful set-up, run the following command: azcmagent check

The result should indicate that the connection.type is set to gateway, and the Reachable column should indicate true for all URLs.

Remove Arc gateway association

You can disable Arc gateway and remove the association between the Arc gateway resource and the Arc-enabled cluster. This results in the Arc-enabled cluster using direct traffic instead.

Note

This operation only applies to Azure Arc gateway on Azure Arc-enabled servers, not Azure Local. If you're using Azure Arc gateway on Azure Local, see About Azure Arc gateway for Azure Local for removal information.

Set the connection type of the Arc-enabled Server to "direct" instead of "gateway" by running the following command:

azcmagent config set connection.type direct

Note

If you take this step, all Azure Arc network requirements must be met in your environment to continue using Azure Arc.

Detach the Arc gateway resource from the machine:

In the Azure portal, go to Azure Arc - Azure Arc gateway (preview).
Select the Arc gateway Resource.
In the service menu for your gateway resource, select Associated resources.
Select the server.
Select Remove.

On a machine with access to Azure, run the following Azure CLI command:

az arcgateway settings update `
     --resource-group <resource_group> `
     --subscription <subscription_name> `
     --base-provider Microsoft.HybridCompute `
     --base-resource-type machines `
     --base-resource-name <server_name> `
     --gateway-resource-id <gateway_resource_id>

Note

If you’re running this Azure CLI command within Windows PowerShell, set the --gateway-resource-id to null.

On a machine with access to Azure, run the following PowerShell command:

Update-AzArcSetting  `
     -ResourceGroupName <Resource Group> `
     -SubscriptionId <Subscription ID> `
     -BaseProvider Microsoft.HybridCompute `
     -BaseResourceType machine `
     -BaseResourceName <Server Name> `
     -GatewayResourceId <resource ID>

Delete an Arc gateway resource

You can delete an Arc gateway resource by using the Azure portal, Azure CLI, or Azure PowerShell. This operation may take up to 5 minutes to complete.

In the Azure portal, go to the Azure Arc - Azure Arc gateway.
Select the Arc gateway resource.
Select Delete, then confirm the deletion.

On a machine with access to Azure, run the following Azure CLI command:

az arcgateway delete `
    --resource-group <resource_group> `
    --subscription <subscription_name> `
    --gateway-name <gateway_resource_name>

On a machine with access to Azure, run the following PowerShell command:

Remove-AzArcGateway  
    -ResourceGroup <Resource Group> `
    -SubscriptionId <Subscription ID> `
    -GatewayName <Gateway Resource Name>

Monitor traffic

You can audit your Arc gateway’s traffic by viewing the Azure Arc proxy logs.

To view Arc proxy logs on Windows:

Run azcmagent logs in PowerShell.
In the resulting .zip file, the arcproxy.log file is located in the ProgramData\AzureConnectedMachineAgent\Log folder.

To view Arc proxy logs on Linux:

Run sudo azcmagent logs.
In the resulting .zip file, the arcproxy.log file is located in the /var/opt/azcmagent/log/ folder.

Additional scenarios

During public preview, Arc gateway covers the endpoints required for onboarding a server, plus endpoints to support several additional Arc-enabled scenarios. Based on the scenarios you adopt, you may need to allow additional endpoints in your proxy.

Scenarios that don’t require additional endpoints

Windows Admin Center
SSH
Extended Security Updates
Azure Extension for SQL Server

Scenarios that require additional endpoints

Endpoints listed with the following scenarios must be allowed in your enterprise proxy when using Arc gateway:

Azure Arc-enabled Data Services
- *.ods.opinsights.azure.com
- *.oms.opinsights.azure.com
- *.monitoring.azure.com
Azure Monitor Agent
- \<log-analytics-workspace-id\>.ods.opinsights.azure.com
- \<data-collection-endpoint\>.\<virtual-machine-region-name\>.ingest.monitor.azure.com
Azure Key Vault Certificate Sync
- \<vault-name\>.vault.azure.net
Azure Automation Hybrid Runbook Worker extension
- *.azure-automation.net
Windows OS Update Extension / Azure Update Manager
- Your environment must meet all the prerequisites for Windows Update
Microsoft Defender
- Your environment must meet all the prerequisites for Microsoft Defender