Simplify network configuration requirements with Azure Arc Gateway (preview)

If you use enterprise proxies to manage outbound traffic, Azure Arc gateway can help simplify the process of enabling connectivity.

The Azure Arc gateway (currently in preview) lets you:

• Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
• View and audit all traffic that the Arc agents send to Azure via the Arc gateway.

Important

Azure Arc gateway is currently in preview.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

How the Azure Arc gateway works

The Arc gateway works by introducing two new components:

• The Arc gateway resource is an Azure resource that serves as a common front end for Azure traffic. The gateway resource is served on a specific domain/URL. You must create this resource by following the steps described in this article. After you successfully create the gateway resource, this domain/URL is included in the success response.
• The Arc Proxy is a new component that runs as its own pod (called Azure Arc Proxy). This component acts as a forward proxy used by Azure Arc agents and extensions. There is no configuration required on your part for the Azure Arc Proxy.

For more information, see how the Azure Arc gateway works.

Important

Azure Local and AKS do not support TLS terminating proxies, ExpressRoute/site-to-site VPN or private endpoints. Also, there is a limit of five Arc gateway resources per Azure subscription.

Before you begin

• Ensure you complete the prerequisites for creating AKS clusters on Azure Local.

• This article requires version 1.4.23 or later of Azure CLI. If you use Azure CloudShell, the latest version is already installed.

• The following Azure permissions are required to create Arc gateway resources and manage their association with AKS Arc clusters:

  • Microsoft.Kubernetes/connectedClusters/settings/default/write
  • Microsoft.hybridcompute/gateways/read
  • Microsoft.hybridcompute/gateways/write

• You can create an Arc gateway resource using Azure CLI or the Azure portal. For more information about how to create an Arc gateway resource for your AKS clusters and Azure Local, see create the Arc gateway resource in Azure. When you create the Arc gateway resource, get the gateway resource ID by running the following command:

  $gatewayId = "(az arcgateway show --name <gateway's name> --resource-group <resource group> --query id -o tsv)"
  

Confirm access to required URLs

Ensure your Arc gateway URL and all of the URLs below are allowed through your enterprise firewall:

URL	Purpose
[Your URL prefix].gw.arc.azure.com	Your gateway URL. You can obtain this URL by running az arcgateway list after you create the resource.
management.azure.com	Azure Resource Manager endpoint, required for the Azure Resource Manager control channel.
<region>.obo.arc.azure.com	Required when az connectedk8s proxy is used.
login.microsoftonline.com, <region>.login.microsoft.com	Microsoft Entra ID endpoint, used for acquiring identity access tokens.
gbl.his.arc.azure.com, <region>.his.arc.azure.com	The cloud service endpoint for communicating with Arc Agents. Uses short names; for example eus for East US.
mcr.microsoft.com, *.data.mcr.microsoft.com	Required to pull container images for Azure Arc agents.

Create an AKS Arc cluster with Arc gateway enabled

Run the following command to create an AKS Arc cluster with the Arc gateway enabled:

az aksarc create -n $clusterName -g $resourceGroup --custom-location $customlocationID --vnet-ids $arcVmLogNetId --aad-admin-group-object-ids $aadGroupID --gateway-id $gatewayId --generate-ssh-keys

Update an AKS Arc cluster and enable Arc gateway

Run the following command to update an AKS Arc cluster to enable Arc gateway:

az aksarc update -n $clusterName -g $resourceGroup --gateway-id $gatewayId

Disable Arc gateway on an AKS Arc cluster

Run the following command to disable Arc gateway:

az aksarc update -n $clusterName -g $resourceGroup --disable-gateway

Monitor traffic

To audit your gateway traffic, view the gateway router logs:

1. Run kubectl get pods -n azure-arc.
2. Identify the Arc Proxy pod (its name will begin with arc-proxy-).
3. Run kubectl logs -n azure-arc <Arc Proxy pod name>.

Other scenarios

During the public preview, Arc gateway covers endpoints required for AKS Arc clusters, and a portion of endpoints required for additional Arc-enabled scenarios. Based on the scenarios you adopt, additional endpoints must still be allowed in your proxy.

All endpoints listed for the following scenarios must be allowed in your enterprise proxy when Arc gateway is in use:

• Container insights in Azure Monitor:
  • *.ods.opinsights.azure.com
  • *.oms.opinsights.azure.com
  • *.monitoring.azure.com
• Azure Key Vault:
  • <vault-name>.vault.azure.net
• Azure Policy:
  • data.policy.core.windows.net
  • store.policy.core.windows.net
• Microsoft Defender for Containers:
  • *.ods.opinsights.azure.com
  • *.oms.opinsights.azure.com
• Azure Arc-enabled data services
  • *.ods.opinsights.azure.com
  • *.oms.opinsights.azure.com
  • *.monitoring.azure.com

Next steps

• Deploy extension for MetalLB for Azure Arc enabled Kubernetes clusters.