Edit

Share via


Azure Arc network requirements

This article lists the endpoints, ports, and protocols required for Azure Arc-enabled services and features.

Generally, connectivity requirements include these principles:

  • All connections are TCP unless otherwise specified.
  • All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
  • All connections are outbound unless otherwise specified.

To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.

Tip

For the Azure public cloud, you can reduce the number of required endpoints by using the Azure Arc gateway for Arc-enabled servers or Arc-enabled Kubernetes.

Azure Arc-enabled Kubernetes endpoints

Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:

  • Azure Arc-enabled Kubernetes
  • Azure Container Apps on Azure Arc
  • Azure Arc-enabled Machine Learning
  • Azure Arc-enabled data services (direct connectivity mode only)

Important

Azure Arc agents require the following outbound URLs on https://:443 to function. For *.servicebus.windows.net, websockets need to be enabled for outbound access on firewall and proxy.

Endpoint (DNS) Description
https://management.azure.com Required for the agent to connect to Azure and register the cluster.
https://<region>.dp.kubernetesconfiguration.azure.com Data plane endpoint for the agent to push status and fetch configuration information.
https://login.microsoftonline.com
https://<region>.login.microsoft.com
login.windows.net
Required to fetch and update Azure Resource Manager tokens.
https://mcr.microsoft.com
https://*.data.mcr.microsoft.com
Required to pull container images for Azure Arc agents.
dl.k8s.io Required to download kubectl binaries during Azure Arc onboarding by Azure CLI connectedk8s extension.
https://gbl.his.arc.azure.com Required to get the regional endpoint for pulling system-assigned Managed Identity certificates.
https://*.his.arc.azure.com Required to pull system-assigned Managed Identity certificates.
guestnotificationservice.azure.com
*.guestnotificationservice.azure.com
sts.windows.net
For Cluster Connect and for Custom Location based scenarios.
*.servicebus.windows.net For Cluster Connect and for Custom Location based scenarios.
https://graph.microsoft.com/ Required when Azure RBAC is configured.
*.arc.azure.net Required to manage connected clusters in Azure portal.
https://<region>.obo.arc.azure.com:8084/ Required when Cluster Connect is configured.
https://linuxgeneva-microsoft.azurecr.io Required if using Azure Arc-enabled Kubernetes extensions.

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command:

GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table
Get-AzLocation | Format-Table

For more information, see Azure Arc-enabled Kubernetes network requirements.

Azure Arc-enabled data services

This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.

Service Port URL Direction Notes
Helm chart (direct connected mode only) 443 arcdataservicesrow1.azurecr.io Outbound Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry.
Azure monitor APIs 1 443 *.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.monitoring.azure.com
Outbound Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See Azure Monitor APIs.
Azure Arc data processing service 1 443 *.<region>.arcdataservices.com 2 Outbound

1 Requirement depends on deployment mode:

  • For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service.
  • For indirect mode, the machine that runs az arcdata dc upload needs to have the outbound connectivity to Azure Monitor and Data Processing Service.

2 For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net.

Azure Monitor APIs

Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established. Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.

For more information, see Connectivity modes and requirements.

Azure Arc-enabled servers

Connectivity to Arc-enabled server endpoints is required for:

  • SQL Server enabled by Azure Arc

  • Azure Arc-enabled VMware vSphere *

  • Azure Arc-enabled System Center Virtual Machine Manager *

  • Azure Arc-enabled Azure Stack (HCI) *

    *Only required for guest management enabled.

Azure Arc-enabled server endpoints are required for all server-based Azure Arc offerings.

Networking configuration

The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally configure the agent to use a proxy server if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.

To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an Azure Arc private link scope.

Note

Azure Arc-enabled servers doesn't support using a Log Analytics gateway as a proxy for the Connected Machine agent. At the same time, Azure Monitor Agent supports Log Analytics gateways.

If your firewall or proxy server restricts outbound connectivity, make sure that the URLs and service tags listed here aren't blocked.

Service tags

Be sure to allow access to the following service tags:

For a list of IP addresses for each service tag/region, see the JSON file Azure IP Ranges and Service Tags - Public Cloud. Microsoft publishes weekly updates that contain each Azure service and the IP ranges it uses. The information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, use the AzureCloud service tag to allow access to all Azure services. Don't disable security monitoring or inspection of these URLs. Allow them as you would other internet traffic.

If you filter traffic to the AzureArcInfrastructure service tag, you must allow traffic to the full service tag range. The ranges advertised for individual regions, for example, AzureArcInfrastructure.AustraliaEast, don't include the IP ranges that are used by global components of the service. The specific IP address resolved for these endpoints might change over time within the documented ranges. For this reason, using a lookup tool to identify the current IP address for a specific endpoint and allowing access to only that IP address isn't sufficient to ensure reliable access.

For more information, see Virtual network service tags.

Important

To filter traffic by IP addresses in Azure Government or Azure operated by 21Vianet, be sure to add the IP addresses from the AzureArcInfrastructure service tag for the Azure public cloud, in addition to using the AzureArcInfrastructure service tag for your cloud. After October 28, 2025, adding the AzureArcInfrastructure service tag for Azure public cloud will be required, and the service tags for Azure Government and Azure operated by 21Vianet will no longer be supported.

URLs

This table lists the URLs that must be available to install and use the Connected Machine agent.

Note

When you configure the Connected Machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The Private link capable column in the following table shows the endpoints that you can configure with a private endpoint. If the column shows Public for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function. Network traffic is routed through private endpoints if a private link scope is assigned.

Agent resource Description When required Private link capable
download.microsoft.com Used to download the Windows installation package. Only at installation time.1 Public.
packages.microsoft.com Used to download the Linux installation package. Only at installation time.1 Public.
login.microsoftonline.com Microsoft Entra ID. Always. Public.
*.login.microsoft.com Microsoft Entra ID. Always. Public.
pas.windows.net Microsoft Entra ID. Always. Public.
management.azure.com Azure Resource Manager is used to create or delete the Azure Arc server resource. Only when you connect or disconnect a server. Public, unless a resource management private link is also configured.
*.his.arc.azure.com Metadata and hybrid identity services. Always. Private.
*.guestconfiguration.azure.com Extension management and guest configuration services. Always. Private.
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com Notification service for extension and connectivity scenarios. Always. Public.
azgn*.servicebus.windows.net or *.servicebus.windows.net Notification service for extension and connectivity scenarios. Always. Public.
*.servicebus.windows.net For Windows Admin Center and Secure Shell (SSH) scenarios. If you use SSH or Windows Admin Center from Azure. Public.
*.waconazure.com For Windows Admin Center connectivity. If you use Windows Admin Center. Public.
*.blob.core.windows.net Download source for Azure Arc-enabled server extensions. Always, except when you use private endpoints. Not used when a private link is configured.
dc.services.visualstudio.com Agent telemetry. Optional. Not used in agent versions 1.24+. Public.
*.<region>.arcdataservices.com2 For Azure Arc-enabled SQL Server. Sends data processing service, service telemetry, and performance monitoring to Azure. Allows Transport Layer Security (TLS) 1.2 or 1.3 only. If you use Azure Arc-enabled SQL Server. Public.
https://<azure-keyvault-name>.vault.azure.net/, https://graph.microsoft.com/2 For Microsoft Entra authentication with Azure Arc-enabled SQL Server. If you use Azure Arc-enabled SQL Server. Public.
www.microsoft.com/pkiops/certs Intermediate certificate updates for Extended Security Updates (uses HTTP/TCP 80 and HTTPS/TCP 443). If you use Extended Security Updates enabled by Azure Arc. Always required for automatic updates or temporarily if you download certificates manually. Public.
dls.microsoft.com Used by Azure Arc machines to perform license validation. Required when you use hotpatching, Windows Server Azure Benefits, or Windows Server pay-as-you-go billing on Azure Arc-enabled machines. Public.

1 Access to this URL is also needed when updates are performed automatically.

2 For details about what information is collected and sent, review Data collection and reporting for SQL Server enabled by Azure Arc.

For extension versions up to and including February 13, 2024, use san-af-<region>-prod.azurewebsites.net. Beginning March 12, 2024, both Azure Arc data processing and Azure Arc data telemetry use *.<region>.arcdataservices.com.

Note

To translate the *.servicebus.windows.net wildcard into specific endpoints, use the command \GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>. Within this command, the region must be specified for the <region> placeholder. These endpoints might change periodically.

To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, East US 2 region, the region name is eastus2.

For example: *.<region>.arcdataservices.com should be *.eastus2.arcdataservices.com in the East US 2 region.

To see a list of all regions, run this command:

az account list-locations -o table
Get-AzLocation | Format-Table

Cryptographic protocols

To ensure the security of data in transit to Azure, we strongly encourage you to configure machines to use TLS 1.2 and 1.3. Older versions of TLS/Secure Sockets Layer (SSL) were found to be vulnerable. Although they still currently work to allow backward compatibility, they aren't recommended.

Starting from version 1.56 of the Connected Machine agent (Windows only), the following cipher suites must be configured for at least one of the recommended TLS versions:

  • TLS 1.3 (suites in server-preferred order):

    • TLS_AES_256_GCM_SHA384 (0x1302) ECDH secp521r1 (eq. 15360 bits RSA) FS
    • TLS_AES_128_GCM_SHA256 (0x1301) ECDH secp256r1 (eq. 3072 bits RSA) FS
  • TLS 1.2 (suites in server-preferred order):

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS

For more information, see Windows TLS configuration issues.

The SQL Server enabled by Azure Arc endpoints located at *.\<region\>.arcdataservices.com support only TLS 1.2 and 1.3. Only Windows Server 2012 R2 and later have support for TLS 1.2. SQL Server enabled by Azure Arc telemetry endpoint isn't supported for Windows Server 2012 or Windows Server 2012 R2.

Platform/Language Support More information
Linux Linux distributions tend to rely on OpenSSL for TLS 1.2 support. Check the OpenSSL Changelog to confirm that your version of OpenSSL is supported.
Windows Server 2012 R2 and later Supported and enabled by default. Confirm that you're still using the default settings.
Windows Server 2012 Partially supported. Not recommended. Some endpoints still work, but other endpoints require TLS 1.2 or later, which isn't available on Windows Server 2012.

Subset of endpoints for ESU only

If you use Azure Arc-enabled servers only for Extended Security Updates for either or both of the following products:

  • Windows Server 2012
  • SQL Server 2012

You can enable the following subset of endpoints.

Agent resource Description When required Endpoint used with private link
download.microsoft.com Used to download the Windows installation package. Only at installation time.1 Public.
login.windows.net Microsoft Entra ID. Always. Public.
login.microsoftonline.com Microsoft Entra ID. Always. Public.
*.login.microsoft.com Microsoft Entra ID. Always. Public.
management.azure.com Azure Resource Manager is used to create or delete the Azure Arc server resource. Only when you connect or disconnect a server. Public, unless a resource management private link is also configured.
*.his.arc.azure.com Metadata and hybrid identity services. Always. Private.
*.guestconfiguration.azure.com Extension management and guest configuration services. Always. Private.
www.microsoft.com/pkiops/certs Intermediate certificate updates for Extended Security Updates (uses HTTP/TCP 80 and HTTPS/TCP 443). Always for automatic updates or temporarily if you download certificates manually. Public.
*.<region>.arcdataservices.com Azure Arc data processing service and service telemetry. SQL Server Extended Security Updates. Public.
*.blob.core.windows.net Download SQL Server Extension package. SQL Server Extended Security Updates. Not required if you use Azure Private Link.

1 Access to this URL is also needed when you perform updates automatically.

For more information, see Connected Machine agent network requirements.

Azure Arc resource bridge

This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere and Azure Arc-enabled System Center Virtual Machine Manager.

Outbound connectivity requirements

The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Arc resource bridge VM (initially deployed), Arc resource bridge VM 2 (upgrade creates a new VM using a different VM IP), and Control Plane IP to the required Arc resource bridge URLs.

Important

When onboarding Arc Resource Bridge, you must provide two IP addresses for the appliance VMs. These are specified as either:

  • A range of IPs
  • Two individual IPs (one for each VM)

To ensure successful upgrades, all appliance VM IPs must have outbound access to the required URLs. Make sure these URLs are allowlisted in your network.

Firewall/Proxy URL allowlist

Service Port URL Direction Notes
SFS API endpoint 443 msk8s.api.cdp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download product catalog, product bits, and OS images from SFS.
Resource bridge (appliance) image download 443 msk8s.sb.tlu.dl.delivery.mp.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download the Arc Resource Bridge OS images.
Microsoft Container Registry 443 mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Discover container images for Arc Resource Bridge.
Microsoft Container Registry 443 *.data.mcr.microsoft.com Management machine & Appliance VM IPs need outbound connection. Download container images for Arc Resource Bridge.
Windows NTP Server 123 time.windows.com Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP OS time sync in appliance VM & Management machine (Windows NTP).
Azure Resource Manager 443 management.azure.com Management machine & Appliance VM IPs need outbound connection. Manage resources in Azure.
Microsoft Graph 443 graph.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required for Azure RBAC.
Azure Resource Manager 443 login.microsoftonline.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 *.login.microsoft.com Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Azure Resource Manager 443 login.windows.net Management machine & Appliance VM IPs need outbound connection. Required to update ARM tokens.
Resource bridge (appliance) Dataplane service 443 *.dp.prod.appliances.azure.com Appliance VMs IP need outbound connection. Communicate with resource provider in Azure.
Resource bridge (appliance) container image download 443 *.blob.core.windows.net, ecpacr.azurecr.io Appliance VM IPs need outbound connection. Required to pull container images.
Managed Identity 443 *.his.arc.azure.com Appliance VM IPs need outbound connection. Required to pull system-assigned Managed Identity certificates.
Azure Arc for Kubernetes container image download 443 azurearcfork8s.azurecr.io Appliance VM IPs need outbound connection. Pull container images.
ADHS telemetry service 443 adhs.events.data.microsoft.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data from appliance VM.
Microsoft events data service 443 v20.events.data.microsoft.com Appliance VM IPs need outbound connection. Send diagnostic data from Windows.
Log collection for Arc Resource Bridge 443 linuxgeneva-microsoft.azurecr.io Appliance VM IPs need outbound connection. Push logs for Appliance managed components.
Resource bridge components download 443 kvamanagementoperator.azurecr.io Appliance VM IPs need outbound connection. Pull artifacts for Appliance managed components.
Microsoft open source packages manager 443 packages.microsoft.com Appliance VM IPs need outbound connection. Download Linux installation package.
Custom Location 443 sts.windows.net Appliance VM IPs need outbound connection. Required for Custom Location.
Azure Arc 443 guestnotificationservice.azure.com Appliance VM IPs need outbound connection. Required for Azure Arc.
Diagnostic data 443 gcs.prod.monitoring.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.microsoftmetrics.com Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.hot.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Diagnostic data 443 *.prod.warm.ingest.monitor.core.windows.net Appliance VM IPs need outbound connection. Periodically sends Microsoft required diagnostic data.
Azure portal 443 *.arc.azure.net Appliance VM IPs need outbound connection. Manage cluster from Azure portal.
Azure service bus 443 *.servicebus.windows.net Appliance VM IPs need outbound connection. Enables secure control channel.
Azure CLI 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer.
Arc Extension 443 *.web.core.windows.net Management machine needs outbound connection. Download Arc resource bridge extension.
Azure Arc Agent 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Dataplane used for Arc agent.
Python package 443 pypi.org, *.pypi.org Management machine needs outbound connection. Validate Kubernetes and Python versions.
Azure CLI 443 pythonhosted.org, *.pythonhosted.org Management machine needs outbound connection.  Python packages for Azure CLI installation.

Inbound connectivity requirements

Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.

Important

During onboarding, you must provide two IP addresses for the Arc Resource Bridge appliance VMs — either as a range or as two individual IPs. For successful deployment, operations, and upgrades:

  • Ensure communication is allowed between the management machine, appliance VM IPs, and control plane IPs over the required ports as listed below.
  • Do not route traffic through a proxy for these connections.
Service Port IP/machine Direction Notes
SSH 22 appliance VM IPs and Management machine Bidirectional Management machine connects outbound to the appliance VM IPs. Appliance VM IPs must allow inbound connections.
Kubernetes API server 6443 appliance VM IPs and Management machine Bidirectional  Management machine connects outbound to the appliance VM IPs. Appliance VM IPs must allow inbound connections.
SSH 22 control plane IP and Management machine Bidirectional Used for deploying and maintaining the appliance VM.
Kubernetes API server 6443 control plane IP and Management machine Bidirectional  Management of the appliance VM.
HTTPS 443 private cloud control plane address and Management machine Management machine needs outbound connection.  Communication with private cloud (ex: VMware vCenter address and vSphere datastore).
Kubernetes API server 6443, 2379, 2380, 10250, 10257, 10259 appliance VM IPs (to each other) Bidirectional  Required for appliance VM upgrade. Ensure all appliance VM IPs have outbound connectivity to each other over these ports.
HTTPS 443 private cloud control plane address and appliance VM IPs appliance VM IPs need outbound connection.  Communication with private cloud (ex: VMware vCenter address and vSphere datastore).

For more information, see Azure Arc resource bridge network requirements.

Azure Arc-enabled VMware vSphere

Azure Arc-enabled VMware vSphere also requires:

Service Port URL Direction Notes
vCenter Server 443 URL of the vCenter server Appliance VM IP and control plane endpoint need outbound connection. Used to by the vCenter server to communicate with the Appliance VM and the control plane.
VMware Cluster Extension 443 azureprivatecloud.azurecr.io Appliance VM IPs need outbound connection. Pull container images for Microsoft.VMWare and Microsoft.AVS Cluster Extension.
Azure CLI and Azure CLI Extensions 443 *.blob.core.windows.net Management machine needs outbound connection. Download Azure CLI Installer and Azure CLI extensions.
Azure Resource Manager 443 management.azure.com Management machine needs outbound connection. Required to create/update resources in Azure using ARM.
Helm Chart for Azure Arc Agents 443 *.dp.kubernetesconfiguration.azure.com Management machine needs outbound connection. Data plane endpoint for downloading the configuration information of Arc agents.
Azure CLI 443 - login.microsoftonline.com

- aka.ms
Management machine needs outbound connection. Required to fetch and update Azure Resource Manager tokens.

For more information, see Support matrix for Azure Arc-enabled VMware vSphere.

Azure Arc-enabled System Center Virtual Machine Manager

Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:

Service Port URL Direction Notes
SCVMM management Server 443 URL of the SCVMM management server Appliance VM IP and control plane endpoint need outbound connection. Used by the SCVMM server to communicate with the Appliance VM and the control plane.

For more information, see Overview of Arc-enabled System Center Virtual Machine Manager.

Additional endpoints

Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints: