Azure Arc resource bridge network requirements
This article describes the networking requirements for deploying Azure Arc resource bridge in your enterprise.
General network requirements
Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
Outbound connectivity requirements
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Discover container images for Arc Resource Bridge. |
| Microsoft Container Registry | 443 | *.data.mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
| Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
| Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
| Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
| Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
| Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
| Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
| Python package | 443 | pypi.org, *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | pythonhosted.org, *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
Inbound connectivity requirements
Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.
| Service | Port | IP/machine | Direction | Notes |
|---|---|---|---|---|
| SSH | 22 | appliance VM IPs and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | appliance VM IPs and Management machine |
Bidirectional | Management of the appliance VM. |
| SSH | 22 | control plane IP and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | control plane IP and Management machine |
Bidirectional | Management of the appliance VM. |
| HTTPS | 443 | private cloud control plane address and Management machine |
Management machine needs outbound connection. | Communication with control plane (ex: VMware vCenter address). |
Note
The URLs listed here are required for Arc resource bridge only. Other Arc products (such as Arc-enabled VMware vSphere) may have additional required URLs. For details, see Azure Arc network requirements.
Designated IP ranges for Arc resource bridge
When deploying Arc resource bridge, specific IP ranges are reserved exclusively for the Kubernetes pods and services within the appliance VM. These internal IP ranges must not overlap with any configuration inputs for the resource bridge, such as IP address prefix, control plane IP, appliance VM IPs, DNS servers, proxy servers, or vSphere ESXi hosts. For details on the Arc resource bridge configuration, refer to the system requirements.
Note
These designated IP ranges are only used internally within the Arc resource bridge. They don't affect Azure resources or networks.
| Service | Designated IP range |
|---|---|
| Arc resource bridge Kubernetes pods | 10.244.0.0/16 |
| Arc resource bridge Kubernetes services | 10.96.0.0/12 |
SSL proxy configuration
Important
Arc Resource Bridge supports only direct (explicit) proxies, including unauthenticated proxies, proxies with basic authentication, SSL terminating proxies, and SSL passthrough proxies.
If using a proxy, the Arc Resource Bridge must be configured to use the proxy in order to connect to Azure services.
To configure the Arc resource bridge with proxy, provide the proxy certificate file path during creation of the configuration files.
The format of the certificate file is Base-64 encoded X.509 (.CER).
Only pass the single proxy certificate. If a certificate bundle is passed, the deployment will fail.
The proxy server endpoint can't be a
.localdomain.The proxy server has to be reachable from all IPs within the IP address prefix, including the control plane and appliance VM IPs.
There are only two certificates that should be relevant when deploying the Arc resource bridge behind an SSL proxy:
SSL certificate for your SSL proxy (so that the management machine and appliance VM trust your proxy FQDN and can establish an SSL connection to it)
SSL certificate of the Microsoft download servers. This certificate must be trusted by your proxy server itself, as the proxy is the one establishing the final connection and needs to trust the endpoint. Non-Windows machines may not trust this second certificate by default, so you may need to ensure that it's trusted.
In order to deploy Arc resource bridge, images need to be downloaded to the management machine and then uploaded to the on-premises private cloud gallery. If your proxy server throttles download speed, you may not be able to download the required images (~3.5 GB) within the allotted time (90 min).
Exclusion list for no proxy
If a proxy server is being used, the following table contains the list of addresses that should be excluded from proxy by configuring the noProxy settings.
| IP Address | Reason for exclusion |
|---|---|
| localhost, 127.0.0.1 | Localhost traffic |
| .svc | Internal Kubernetes service traffic (.svc) where .svc represents a wildcard name. This is similar to saying *.svc, but none is used in this schema. |
| 10.0.0.0/8 | private network address space |
| 172.16.0.0/12 | Private network address space - Kubernetes Service CIDR |
| 192.168.0.0/16 | Private network address space - Kubernetes Pod CIDR |
| .contoso.com | You may want to exempt your enterprise namespace (.contoso.com) from being directed through the proxy. To exclude all addresses in a domain, you must add the domain to the noProxy list. Use a leading period rather than a wildcard (*) character. In the sample, the addresses .contoso.com excludes addresses prefix1.contoso.com, prefix2.contoso.com, and so on. |
The default value for noProxy is localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. While these default values will work for many networks, you may need to add more subnet ranges and/or names to the exemption list. For example, you may want to exempt your enterprise namespace (.contoso.com) from being directed through the proxy. You can achieve that by specifying the values in the noProxy list.
Important
When listing multiple addresses for the noProxy settings, don't add a space after each comma to separate the addresses. The addresses must immediately follow the commas.
Internal port listening
Be aware that the appliance VM is configured to listen on the following ports. These ports are used exclusively for internal processes and do not require external access:
- 8443 – Endpoint for Microsoft Entra Authentication Webhook
- 10257 – Endpoint for Arc resource bridge metrics
- 10250 – Endpoint for Arc resource bridge metrics
- 2382 – Endpoint for Arc resource bridge metrics
Next steps
- Review the Azure Arc resource bridge overview to understand more about requirements and technical details.
- Learn about security configuration and considerations for Azure Arc resource bridge.
- View troubleshooting tips for networking issues.