Edit

Share via

Configure Arc proxy via registration script for Azure gateway on Azure Local (preview)

  • Article

Applies to: Azure Local, version 23H2, release 2408, 2408.1, 2408.2, 2411 and 2411.1

After creating the Arc gateway resource in your Azure subscription, you can enable the new Arc gateway preview features. This article details how to configure the Arc proxy before Arc registration using a registration script for the Arc gateway on Azure Local.

Using this method, you don’t need to configure the Arc proxy across WinInet, WinHttp, or environment variables manually.

Important

This feature is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Make sure the following prerequisites are met before proceeding:

  • You’ve access to an Azure Local instance running version 23H2.

  • An Arc gateway resource created in the same subscription as used to deploy Azure Local. For more information, see Create the Arc gateway resource in Azure.

Step 1: Get the ArcGatewayID

You need the proxy and the ArcGatewayID from Azure to run the registration script on Azure Local machines. You can find the Arc gateway ID on the Azure portal overview page of the resource.

Step 2: Register new machines in Azure Arc

To register new version 2408 or version 2411 machines in Azure Arc, you run the initialization script by passing the ArcGatewayID, Proxy server, and Proxy bypass list parameters.

Here's an example of how you should change these parameters for the Invoke-AzStackHciArcInitialization initialization script. Once registration is completed, the Azure Local machines are registered in Azure Arc using the Arc gateway:

#Define the subscription where you want to register your server as Arc device.
$Subscription = "yoursubscription" 

#Define the resource group where you want to register your server as Arc device.
$RG = "yourresourcegroupname" 

#Define the tenant to use to register your server as Arc device. 
$Tenant = "yourtenant" 

#Define Proxy Server if necessary 
$ProxyServer = "http://x.x.x.x:port" 

#Define the Arc gateway resource ID from Azure 
$ArcgwId = "/subscriptions/yourarcgatewayid/resourceGroups/yourresourcegroupname/providers/Microsoft.HybridCompute/gateways/yourarcgatewayname" 

#Define the bypass list for the proxy. Use semicolon to separate each item from the list.  
# Use "localhost" instead of <local> 
# Use specific IPs such as 127.0.0.1 without mask 
# Use * for subnets allowlisting. 192.168.1.* for /24 exclusions. Use 192.168.*.* for /16 exclusions. 
# Append * for domain names exclusions like *.contoso.com 
# DO NOT INCLUDE .svc on the list. The registration script takes care of Environment Variables configuration. 

$ProxyBypassList = "localhost;127.0.0.1;*.contoso.com;machine1;machine2;machine3;machine4;machine5;192.168.*.*;AzureLocal-1" 

#Connect to your Azure account and Subscription 
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode 

#Get the Access Token and Account ID for the registration 
$ARMtoken = (Get-AzAccessToken).Token 

#Get the Account ID for the registration 
$id = (Get-AzContext).Account.Id 

#Invoke the registration script with Proxy and ArcgatewayID 
Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region australiaeast -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id -Proxy $ProxyServer -ArcGatewayID $ArcgwId -ProxyBypass $ProxyBypassList

Step 3: Verify that the setup succeeded

Once the deployment validation starts, you can connect to the first machine from your system and open the Arc gateway log to monitor which endpoints are being redirected to the Arc gateway and which ones continue using your firewall or proxy.

You can find the Arc gateway log at: c:\programdata\AzureConnectedMAchineAgent\Log\arcproxy.log.

Screenshot that shows the Arc gateway log using script.

To check the Arc agent configuration and verify that it is using the gateway, run the following command: c:\program files\AzureConnectedMachineAgent>.\azcmagent show.

The values displayed should be as follows:

  • Agent version is 1.45 or above.

  • Agent Status should show as Connected.

  • Using HTTPS Proxy empty when Arc gateway isn't in use. It should show as http://localhost:40343 when the Arc gateway is enabled.

  • Upstream Proxy shows your enterprise proxy server and port.

  • Azure Arc Proxy shows as stopped when Arc gateway isn't in use. Running when the Arc gateway is enabled.

The Arc agent without the Arc gateway:

Screenshot that shows the Arc agent without gateway using script.

The Arc agent using the Arc gateway:

Screenshot that shows the Arc agent with gateway using script.

Additionally, to verify that the setup was done successfully, you can run the following command: c:\program files\AzureConnectedMachineAgent>.\azcmagent check.

The response should indicate that the connection.type is set to gateway, and the Reachable column should indicate true for all URLs.

The Arc agent without the Arc gateway:

Screenshot that shows the Arc agent without Arc gateway using script.

The Arc agent using the Arc gateway:

Screenshot that shows the Arc agent with Arc gateway using script.

You can also audit your gateway traffic by viewing the gateway router logs.

To view gateway router logs on Windows, run the azcmagent logs command in PowerShell. In the resulting .zip file, the logs are located in the C:\ProgramData\Microsoft\ArcGatewayRouter folder.

Next steps