About Azure Arc gateway for Azure Local

This article provides an overview of the Azure Arc gateway for Azure Local (formerly known as Azure Stack HCI). You can enable the Arc gateway on new deployments of Azure Local running software version 2506 and later. This article also describes how to create and delete the Arc gateway resource in Azure.

Use the Arc gateway to significantly reduce the number of required endpoints needed to deploy and manage Azure Local instances. When you create the Arc gateway, connect to and use it for new deployments of Azure Local.

How it works

The Arc gateway works by introducing the following components:

• Arc gateway resource – An Azure resource that acts as a common entry point for Azure traffic. This gateway resource has a specific domain or URL that you can use. When you create the Arc gateway resource, this domain or URL is part of the success response.

• Arc proxy – A new component that is added to the Arc agentry. This component runs as a service (called the Azure Arc Proxy) and functions as a forward proxy for the Azure Arc agents and extensions. The gateway router doesn't need any configuration. This router is part of the Arc core agentry and runs in the context of an Arc-enabled resource.

When you integrate the Arc gateway with Azure Local deployments, each machine gets Arc proxy along with other Arc Agents.

The following diagram illustrates how traffic flows between the various components:

The following sections explain how http and https traffic flow changes when you use the Arc gateway:

Traffic flows 1-3 for Azure Local host OS

• Make sure to Configure the proxy bypass list for any endpoint that you don't want to send over Arc gateway.

• Arc gateway doesn't support HTTP traffic. Configure your proxy or firewall to allow the required HTTP endpoints for Azure Local.

• All HTTPS traffic not configured in the proxy bypass list is forwarded to Arc gateway.

• Arc proxy automatically determines the right path for the endpoint. If the Arc gateway doesn't allow the HTTPS endpoint, Arc proxy sends the HTTPS traffic to your enterprise proxy or firewall.

Traffic flow 4 for Azure Arc resource bridge

• The Azure Arc resource bridge forward proxy is configured to use cluster IP.

• With proxy settings in place, the system forwards Arc resource bridge HTTPS traffic to Arc proxy running on one of the Azure Local machines over cluster IP.

Traffic flow 5 for AKS clusters and pods

• When you deploy AKS clusters on Azure Local with Arc gateway, the system forwards all HTTP and HTTPS traffic from the AKS control plane VM and worker node VMs to the cluster IP as the proxy.

• If there's an existing firewall between the infrastructure subnet and the AKS subnet, allow the traffic from ports 22 and 6443.

• When you deploy AKS workloads on Azure Local with Arc gateway configured, you still need to allow access to the non-allowed endpoints on the management subnet. If you don't want the traffic routed through the management subnet, configure the non-allowed endpoints via the proxy bypass list during Azure Local deployment.

  For more information, see the Comprehensive list of FQDN endpoints required for AKS on a separated subnet when using Arc gateway.

Traffic flow 6 for Azure Local VMs

• The system forwards all Arc HTTPS traffic to the Arc gateway configured for the Azure Local VM.
• If you want to forward all the HTTP and HTTPS traffic from the Azure Local VM to the Arc gateway, you must configure the OS WinInet and WinHTTP proxy settings to use the Arc proxy that's running on http://<localhost>:<port40343>.
• If the Arc gateway doesn't allow endpoints from reaching inside the Azure Local VM, the system sends the traffic to the enterprise proxy or firewall.

For more information about the traffic flows, see Deep dive into Azure Arc gateway outbound traffic mode for Azure Local.

Supported and unsupported scenarios

Use the Arc gateway in the following scenarios for Azure Local:

• Enable Arc gateway during deployment of new Azure Local instances running versions 2506 or later.
• The Arc gateway resource must be created on the same subscription where you're planning to deploy your Azure Local instance.

Unsupported scenarios for Azure Local include:

• You can't enable Arc gateway after deployment.

Azure Local endpoints not redirected

The endpoints from the following table are required. Add these endpoints to the allowlist in your proxy or firewall to deploy the Azure Local instance:

Restrictions and limitations

Arc gateway has the following limitations in this release:

• Arc gateway doesn't support Transport Layer Security (TLS) terminating proxies.
• Arc gateway doesn't support using ExpressRoute, Site-to-Site VPN, or Private Endpoints together with the Arc gateway.

Create the Arc gateway resource in Azure

You can create an Arc gateway resource using the Azure portal, Azure CLI, or Azure PowerShell.

New-AzArcgateway -name <gateway name> -resource-group <resource group> -location <region> -subscription <subscription name or id> -gateway-type public  -allowed-features *

Detach or change the Arc gateway association from the machine

To detach the gateway resource from your Arc-enabled server, set the gateway resource ID to null. To attach your Arc-enabled server to another Arc gateway resource, update the name and resource ID with the new Arc gateway information:

az arcgateway settings update --resource-group <Resource Group> --subscription <subscription name> --base-provider Microsoft.HybridCompute --base-resource-type machines --base-resource-name <Arc-enabled server name> --gateway-resource-id "

Delete the Arc gateway resource

Before deleting an Arc gateway resource, ensure that no machines are attached. To delete the gateway resource, run the following command:

az arcgateway delete --resource group <resource group name> --gateway-name <gateway resource name>

This operation can take a couple of minutes.

Next steps

• Register Azure Local machines with Azure Arc gateway

This feature is available only in Azure Local version 2506 or later.