Edit

Share via


Use Azure Private Link to securely connect servers to Azure Arc

With Azure Private Link, you can securely link Azure platform-as-a-service (PaaS) services to your virtual network by using private endpoints. For many services, you set up an endpoint per resource. Then you can connect your on-premises or multicloud servers with Azure Arc and send all traffic over Azure ExpressRoute or a site-to-site virtual private network (VPN) connection instead of using public networks.

With Azure Arc-enabled servers, you can use a private link scope model to allow multiple servers or machines to communicate with their Azure Arc resources by using a single private endpoint.

This article covers when to use Azure Arc Private Link Scope and how to set it up.

Advantages

With Private Link, you can:

  • Connect privately to Azure Arc without opening up any public network access.
  • Ensure that data from the Azure Arc-enabled machine or server is accessed only through authorized private networks. This requirement also includes data from virtual machine (VM) extensions installed on the machine or server that provide post-deployment management and monitoring support.
  • Prevent data exfiltration from your private networks by defining specific Azure Arc-enabled servers and other Azure services resources, such as Azure Monitor, which connects through your private endpoint.
  • Securely connect your private on-premises network to Azure Arc by using ExpressRoute and Private Link.
  • Keep all traffic inside the Microsoft Azure backbone network.

For more information, see Key benefits of Azure Private Link.

How it works

Azure Arc Private Link Scope connects private endpoints (and the virtual networks where they're contained) to an Azure resource. In this case, it's Azure Arc-enabled servers. When you enable any one of the supported VM extensions for Azure Arc-enabled servers, such as Azure Monitor, those resources connect other Azure resources, such as:

  • Log Analytics workspace, which is required for Azure Automation Change Tracking and Inventory, Azure Monitor VM insights, and Azure Monitor log collection with Azure Monitor Agent.
  • Azure Key Vault.
  • Azure Blob Storage, which is required for Custom Script Extension.

Diagram that shows basic resource topology.

To download architecture diagrams in high resolution, visit Jumpstart Gems.

Connectivity to any other Azure resource from an Azure Arc-enabled server requires you to configure Private Link for each service, which is optional, but we recommend it. Private Link requires separate configuration per service.

For more information about how to configure Private Link for the Azure services listed earlier, see the articles on Azure Automation, Azure Monitor, Key Vault, or Blob Storage.

Important

Private Link is now generally available. Both private endpoint and private link services (service behind a standard load balancer) are generally available. Different Azure PaaS services onboard to Private Link following different schedules. For an updated status of Azure PaaS on Private Link, see Private Link availability. For known limitations, see Private endpoint and Private link service.

  • The private endpoint on your virtual network allows it to reach Azure Arc-enabled servers endpoints through private IPs from your network's pool, instead of using the public IPs of these endpoints. In this way, you can keep using your Azure Arc-enabled servers resource without opening your virtual network to outbound traffic that wasn't requested.
  • Traffic from the private endpoint to your resources goes over the Azure backbone and isn't routed to public networks.
  • You can configure each of your components to allow or deny ingestion and queries from public networks. That provides a resource-level protection so that you can control traffic to specific resources.

Restrictions and limitations

The Azure Arc-enabled servers private link scope object has several limits that you should consider when you plan your Private Link setup:

  • At most, one Azure Arc private link scope can be associated with a virtual network.
  • An Azure Arc-enabled machine or server resource can connect to only one Azure Arc-enabled servers private link scope.
  • All on-premises machines need to use the same private endpoint by resolving the correct private endpoint information, such as fully qualified domain name (FQDN) record name and private IP address. They need to use the same Domain Name System (DNS) forwarder. For more information, see Azure private endpoint DNS configuration.
  • The Azure Arc-enabled server and the Azure Arc private link scope must be in the same Azure region as each other. The private endpoint and the virtual network must be in the same Azure region as each other, but it can be different from the region of your Azure Arc private link scope and Azure Arc-enabled server.
  • Network traffic to Microsoft Entra ID and Azure Resource Manager doesn't traverse the Azure Arc private link scope and continues to use your default network route to the internet. You can optionally configure a resource management private link to send Resource Manager traffic to a private endpoint.
  • Other Azure services that you use, for example, Azure Monitor, require their own private endpoints in your virtual network.
  • Remote access to the server by using Windows Admin Center or SSH isn't supported over a private link at this time.

To connect your server to Azure Arc over a private link, you must configure your network to accomplish the following tasks:

  1. Establish a connection between your on-premises network and an Azure virtual network by using a site-to-site VPN or ExpressRoute circuit.

  2. Deploy an Azure Arc private link scope, which controls the machines or servers that can communicate with Azure Arc over private endpoints. Associate it with your Azure virtual network by using a private endpoint.

  3. Update the DNS configuration on your local network to resolve the private endpoint addresses.

  4. Configure your local firewall to allow access to Microsoft Entra ID and Resource Manager.

  5. Associate the machines or servers that are registered with Azure Arc-enabled servers with the private link scope.

  6. Optionally, deploy private endpoints for other Azure services that manage your machine or server, such as:

    • Azure Monitor
    • Azure Automation
    • Azure Blob Storage
    • Azure Key Vault

This article assumes that you already set up your ExpressRoute circuit or site-to-site VPN connection.

Network configuration

Azure Arc-enabled servers integrate with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints. You need to configure your firewall and routing rules to allow access to Microsoft Entra ID and Resource Manager over the internet until these services offer private endpoints.

There are two ways to allow access:

  • If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure. Use service tags to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID and Azure. The NSG rules should look like the following table:

    Setting Microsoft Entra ID rule Azure rule
    Source Virtual network Virtual network
    Source port ranges * *
    Destination Service tag Service tag
    Destination service tag AzureActiveDirectory AzureResourceManager
    Destination port ranges 443 443
    Protocol TCP TCP
    Action Allow Allow
    Priority 150 (Must be lower than any rules that block internet access.) 151 (Must be lower than any rules that block internet access.)
    Name AllowAADOutboundAccess AllowAzOutboundAccess
  • Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID and Azure by using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Microsoft Entra ID and Azure and is updated monthly to reflect any changes. The Microsoft Entra ID service tag is AzureActiveDirectory. The Azure service tag is AzureResourceManager. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.

To understand more about the network traffic flows, see the diagram in the How it works section of this article.

  1. Sign in to the Azure portal.

  2. Go to Create a resource in the Azure portal, search for Azure Arc Private Link Scope, and then select Create.

    Screenshot that shows the Azure Arc private link scope with the Create button.

    Alternately, go directly to the Azure Arc Private Link Scopes page in the portal, and then select Create.

  3. On the Basics tab, select a subscription and resource group.

  4. Enter a name for the Azure Arc private link scope. It's best to use a meaningful and clear name.

  5. Optionally, you can require every Azure Arc-enabled machine or server associated with this Azure Arc private link scope to send data to the service through the private endpoint. To do so, select the Allow public network access checkbox so that machines or servers associated with this Azure Arc private link scope can communicate with the service over private or public networks. You can change this setting after you create the scope as needed.

  6. Select the Private endpoint tab, and then select Create.

  7. On the Create private endpoint pane:

    1. Enter a name for the endpoint.

    2. For Integrate with private DNS zone, select Yes, and let it automatically create a new private DNS zone.

      Note

      If you choose No and prefer to manage DNS records manually, first finish setting up your private link, including this private endpoint and the private scope configuration. Then, configure your DNS according to the instructions in Azure private endpoint DNS configuration. Make sure not to create empty records as preparation for your private link setup. The DNS records that you create can override existing settings and affect your connectivity with Azure Arc-enabled servers.

      You can't use the same virtual network/DNS zone for both Azure Arc resources that use private links and ones that don't use private links. Azure Arc resources that aren't connected to private links must resolve to public endpoints.

    3. Select OK.

  8. Select Review + create.

    Screenshot that shows the Create Private Link Scope window.

  9. Let the validation pass, and then select Create.

Configure on-premises DNS forwarding

Your on-premises machines or servers must be able to resolve the private link DNS records to the private endpoint IP addresses. How you configure this behavior depends on whether you're using:

  • Azure private DNS zones to maintain DNS records.
  • Your own DNS server on-premises and how many servers you configure.

DNS configuration by using Azure-integrated private DNS zones

If you set up private DNS zones for Azure Arc-enabled servers and guest configuration when you create the private endpoint, your on-premises machines or servers must be able to forward DNS queries to the built-in Azure DNS servers to resolve the private endpoint addresses correctly. You need a DNS forwarder in Azure (either a purpose-built VM or an Azure Firewall instance with DNS proxy enabled). Then you can configure your on-premises DNS server to forward queries to Azure to resolve private endpoint IP addresses.

For more information, see Azure DNS Private Resolver with on-premises DNS forwarder.

Manual DNS server configuration

If you opted out of using Azure private DNS zones during private endpoint creation, you need to create the required DNS records in your on-premises DNS server.

  1. In the Azure portal, go to the private endpoint resource associated with your virtual network and private link scope.

  2. On the service menu, under Settings, select DNS configuration to see a list of the DNS records and corresponding IP addresses that you need to set up on your DNS server. The FQDNs and IP addresses change based on the region that you selected for your private endpoint and the available IP addresses in your subnet.

  3. Follow the guidance from your DNS server vendor to add the necessary DNS zones and A records to match the table in the portal. Ensure that you select a DNS server that was appropriately scoped for your network. Every machine or server that uses this DNS server now resolves the private endpoint IP addresses. Each machine or server must be associated with the Azure Arc private link scope, or the connection is refused.

Single server scenarios

If you plan to use private links to support only a few machines or servers, you might not want to update your entire network's DNS configuration. In this case, you can add the private endpoint host names and IP addresses to your operating system's Hosts file. Depending on the OS configuration, the Hosts file can be the primary or alternative method for resolving a hostname to an IP address.

Windows

  1. Use an account with administrator privileges to open C:\Windows\System32\drivers\etc\hosts.

  2. Add the private endpoint IPs and host names from the DNS configuration listing, as described in Manual DNS server configuration. The hosts file requires the IP address first, followed by a space and then the host name.

  3. Save the file with your changes. You might need to save to another directory first, and then copy the file to the original path.

Linux

  1. Open the /etc/hosts file in a text editor.

  2. Add the private endpoint IPs and host names from the DNS configuration listing, as described in Manual DNS server configuration. The hosts file asks for the IP address first, followed by a space and then the host name.

  3. Save the file with your changes.

Connect to an Azure Arc-enabled server

Using a private endpoint requires the Azure Connected Machine agent version 1.4 or later. The Azure Arc-enabled servers deployment script generated in the portal downloads the latest version.

When you connect a machine or server with Azure Arc-enabled servers for the first time, you can optionally connect it to a private link scope.

  1. From your browser, go to the Azure portal.

  2. Go to Machines - Azure Arc.

  3. On the Machines - Azure Arc page, select Add/Create in the upper-left corner, and then select Add a machine from the dropdown menu.

  4. On the Add servers with Azure Arc page, select either Add a single server or Add multiple servers depending on your deployment scenario, and then select Generate script.

  5. On the Basics page, provide the following information:

    1. Select the subscription and resource group for the machine.

    2. In the Region dropdown list, select the Azure region to store the machine or server metadata.

    3. In the Operating system dropdown list, select the operating system on which the script is configured to run.

    4. Under Connectivity method, select Private endpoint and select the Azure Arc private link scope created in Part 1 from the dropdown list.

      Screenshot that shows selecting the Private endpoint connectivity option.

    5. Select Next: Tags.

  6. If you selected Add multiple servers on the Authentication page, select the service principal created for Azure Arc-enabled servers from the dropdown list. If you need to create a service principal for Azure Arc-enabled servers, review how to create a service principal to learn about permissions and the steps that are required to create one. Select Next: Tags to continue.

  7. On the Tags page, review the default Physical location tags suggested and enter a value, or specify one or more custom tags to support your standards.

  8. Select Next: Download and run script.

  9. On the Download and run script page, review the summary information, and then select Download.

After you download the script, you have to run it on your machine or server by using a privileged (administrator or root) account. Depending on your network configuration, you might need to download the agent from a computer with internet access and transfer it to your machine or server. Then you modify the script with the path to the agent.

You can download the Windows agent and the Linux agent. Look for the latest version of azcmagent under your OS distribution directory and installed with your local package manager.

The script returns status messages that let you know if onboarding was successful after it finishes.

Network traffic from the Azure Connected Machine agent to Microsoft Entra ID (login.windows.net, login.microsoftonline.com, pas.windows.net) and Resource Manager (management.azure.com) continue to use public endpoints. If your server needs to communicate through a proxy server to reach these endpoints, configure the agent with the proxy server URL before you connect it to Azure. You might also need to configure a proxy bypass for the Azure Arc services if your private endpoint isn't accessible from your proxy server.

Configure an existing Azure Arc-enabled server

For Azure Arc-enabled servers that were set up before your private link scope, you can allow them to start by using the Azure Arc-enabled servers private link scope.

  1. In the Azure portal, go to your Azure Arc private link scope resource.

  2. On the service menu, under Configure, select Azure Arc resources, and then select + Add.

  3. Select the servers in the list that you want to associate with the private link scope, and then choose Select to save your changes.

    Screenshot that shows selecting Azure Arc resources.

It might take up to 15 minutes for the private link scope to accept connections from the recently associated servers.

Troubleshooting

If you run into problems, the following suggestions might help:

  • Check your on-premises DNS server to verify that it's either forwarding to Azure DNS or is configured with appropriate A records in your private link zone. These lookup commands should return private IP addresses in your Azure virtual network. If they resolve public IP addresses, double-check your machine or server and network's DNS configuration.

    nslookup gbl.his.arc.azure.com
    nslookup agentserviceapi.guestconfiguration.azure.com
    
  • For issues with onboarding a machine or server, confirm that you added the Microsoft Entra ID and Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services.

For more troubleshooting help, see Troubleshoot Azure private endpoint connectivity problems.