Azure Arc network requirements
This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Azure Arc-enabled Kubernetes endpoints
Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:
- Azure Arc-enabled Kubernetes
Important
Azure Arc agents require the following outbound URLs on https://:443
to function.
For *.servicebus.chinacloudapi.cn
, websockets need to be enabled for outbound access on firewall and proxy.
Endpoint (DNS) | Description |
---|---|
https://management.chinacloudapi.cn |
Required for the agent to connect to Azure operated by 21Vianet and register the cluster. |
https://<region>.dp.kubernetesconfiguration.azure.cn |
Data plane endpoint for the agent to push status and fetch configuration information. |
https://login.chinacloudapi.cn https://<region>.login.chinacloudapi.cn login.partner.microsoftonline.cn |
Required to fetch and update Azure Resource Manager tokens. |
mcr.azk8s.cn |
Required to pull container images for Azure Arc agents. |
https://gbl.his.arc.azure.cn |
Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
https://*.his.arc.azure.cn |
Required to pull system-assigned Managed Identity certificates. |
https://k8connecthelm.azureedge.net |
az connectedk8s connect uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
guestnotificationservice.azure.cn *.guestnotificationservice.azure.cn sts.chinacloudapi.cn https://k8sconnectcsp.azureedge.net |
For Cluster Connect and for Custom Location based scenarios. |
*.servicebus.chinacloudapi.cn |
For Cluster Connect and for Custom Location based scenarios. |
https://graph.chinacloudapi.cn/ |
Required when Azure RBAC is configured. |
*.arc.azure.cn |
Required to manage connected clusters in Azure portal. |
https://<region>.obo.arc.azure.cn:8084/ |
Required when Cluster Connect is configured. |
quay.azk8s.cn registryk8s.azk8s.cn k8sgcr.azk8s.cn usgcr.azk8s.cn dockerhub.azk8s.cn/<repo-name>/<image-name>:<version> |
Container registry proxy servers for Azure operated by 21Vianet VMs. |
For more information, see Azure Arc-enabled Kubernetes network requirements.
Azure Arc-enabled servers
Connectivity to Arc-enabled server endpoints is required for:
SQL Server enabled by Azure Arc
Azure Arc-enabled VMware vSphere *
Azure Arc-enabled System Center Virtual Machine Manager *
Azure Arc-enabled Azure Stack (HCI) *
*Only required for guest management enabled.
Azure Arc-enabled server endpoints are required for all server based Arc offerings.
Networking configuration
The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc Private Link Scope .
Note
Azure Arc-enabled servers does not support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateway.
If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs and Service Tags listed below are not blocked.
Service tags
Be sure to allow access to the following Service Tags:
- AzureActiveDirectory
- AzureTrafficManager
- AzureResourceManager
- AzureArcInfrastructure
- Storage
- WindowsAdminCenter (if using Windows Admin Center to manage Arc-enabled servers)
For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags - China Cloud. Azure publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
If you filter traffic to the AzureArcInfrastructure service tag, you must allow traffic to the full service tag range. The specific IP address resolved for these endpoints may change over time within the documented ranges, so just using a lookup tool to identify the current IP address for a given endpoint and allowing access to that will not be sufficient to ensure reliable access.
For more information, see Virtual network service tags.
URLs
The table below lists the URLs that must be available in order to install and use the Connected Machine agent.
Agent resource | Description | When required |
---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only |
packages.microsoft.com |
Used to download the Linux installation package | At installation time, only |
login.chinacloudapi.cn |
Microsoft Entra ID | Always |
login.partner.microsoftonline.cn |
Microsoft Entra ID | Always |
pas.chinacloudapi.cn |
Microsoft Entra ID | Always |
management.chinacloudapi.cn |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only |
*.his.arc.azure.cn |
Metadata and hybrid identity services | Always |
*.guestconfiguration.azure.cn |
Extension management and guest configuration services | Always |
guestnotificationservice.azure.cn , *.guestnotificationservice.azure.cn |
Notification service for extension and connectivity scenarios | Always |
azgn*.servicebus.chinacloudapi.cn |
Notification service for extension and connectivity scenarios | Always |
*.servicebus.chinacloudapi.cn |
For Windows Admin Center and SSH scenarios | If using SSH or Windows Admin Center from Azure |
*.blob.core.chinacloudapi.cn |
Download source for Azure Arc-enabled servers extensions | Always, except when using private endpoints |
dc.applicationinsights.azure.cn |
Agent telemetry | Optional, not used in agent versions 1.24+ |
Transport Layer Security 1.2 protocol
To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended.
Platform/Language | Support | More Information |
---|---|---|
Linux | Linux distributions tend to rely on OpenSSL for TLS 1.2 support. | Check the OpenSSL Changelog to confirm your version of OpenSSL is supported. |
Windows Server 2012 R2 and higher | Supported, and enabled by default. | To confirm that you are still using the default settings. |
Subset of endpoints for ESU only
If you're using Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:
- Windows Server 2012
- SQL Server 2012
You can enable the following subset of endpoints:
Agent resource | Description | When required | Endpoint used with private link |
---|---|---|---|
aka.ms |
Used to resolve the download script during installation | At installation time, only | Public |
download.microsoft.com |
Used to download the Windows installation package | At installation time, only | Public |
login.chinacloudapi.cn |
Microsoft Entra ID | Always | Public |
login.partner.microsoftonline.cn |
Microsoft Entra ID | Always | Public |
management.chinacloudapi.cn |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server, only | Public, unless a resource management private link is also configured |
*.his.arc.azure.cn |
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.cn |
Extension management and guest configuration services | Always | Private |
www.microsoft.com/pkiops/certs |
Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) | Always for automatic updates, or temporarily if downloading certificates manually. | Public |
Note
Azure Arc-enabled servers used for Extended Security Updates for Windows Server 2012 is not available in Azure operated by 21Vianet regions at this time.
For more information, see Connected Machine agent network requirements.
Additional endpoints
Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints: