Support matrix for Azure Arc-enabled System Center Virtual Machine Manager
This article documents the prerequisites and support requirements for using Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) to manage your SCVMM managed on-premises VMs through Azure Arc.
To use Arc-enabled SCVMM, you must deploy an Azure Arc Resource Bridge in your SCVMM managed environment. The Resource Bridge provides an ongoing connection between your SCVMM management server and Azure. Once you've connected your SCVMM management server to Azure, components on the Resource Bridge discover your SCVMM management server inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.
System Center Virtual Machine Manager requirements
The following requirements must be met in order to use Arc-enabled SCVMM.
Supported SCVMM versions
Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15,000 VMs.
Azure Arc resource bridge prerequisites
Note
If VMM server is running on Windows Server 2016 machine, ensure that Open SSH package is installed. If you deploy an older version of appliance (version lesser than 0.2.25), Arc operation fails with the error Appliance cluster is not deployed with AAD authentication. To fix this issue, download the latest version of the onboarding script and deploy the Resource Bridge again. Azure Arc Resource Bridge deployment using private link is currently not supported.
| Requirement | Details |
|---|---|
| Azure | An Azure subscription A resource group in the above subscription where you have the Owner/Contributor role. |
| SCVMM | You need an SCVMM management server running version 2019 or later. A private cloud or a host group with a minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. The supported storage configurations are hybrid storage (flash and HDD) and all-flash storage (SSDs or NVMe). A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network. Only Static IP allocation is supported; Dynamic IP allocation using DHCP isn't supported. Static IP allocation can be performed by one of the following approaches: 1. VMM IP Pool: Follow these steps to create a VMM Static IP Pool and ensure that the Static IP Pool has at least three IP addresses. If your SCVMM server is behind a firewall, all the IPs in this IP Pool and the Control Plane IP should be allowed to communicate through WinRM ports. The default WinRM ports are 5985 and 5986. 2. Custom IP range: Ensure that your VM network has three continuous free IP addresses. If your SCVMM server is behind a firewall, all the IPs in this IP range and the Control Plane IP should be allowed to communicate through WinRM ports. The default WinRM ports are 5985 and 5986. If the VM network is configured with a VLAN, the VLAN ID is required as an input. Azure Arc Resource Bridge requires internal and external DNS resolution to the required sites and the on-premises management machine for the Static gateway IP and the IP address(es) of your DNS server(s) are needed. A library share with write permission for the SCVMM admin account through which Resource Bridge deployment is going to be performed. |
| SCVMM accounts | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. The user should be part of local administrator account in the SCVMM server. If the SCVMM server is installed in a High Availability configuration, the user should be a part of the local administrator accounts in all the SCVMM cluster nodes. This will be used for the ongoing operation of Azure Arc-enabled SCVMM and the deployment of the Arc Resource Bridge VM. |
| Workstation | The workstation will be used to run the helper script. Ensure you have 64-bit Azure CLI installed on the workstation. When you execute the script from a Linux machine, the deployment takes a bit longer and you might experience performance issues. |
Resource Bridge networking requirements
The following firewall URL exceptions are required for the Azure Arc Resource Bridge VM:
Outbound connectivity requirements
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Discover container images for Arc Resource Bridge. |
| Microsoft Container Registry | 443 | *.data.mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
| Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
| Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
| Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
| Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
| Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
| Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
| Python package | 443 | pypi.org, *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | pythonhosted.org, *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
Inbound connectivity requirements
Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.
| Service | Port | IP/machine | Direction | Notes |
|---|---|---|---|---|
| SSH | 22 | appliance VM IPs and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | appliance VM IPs and Management machine |
Bidirectional | Management of the appliance VM. |
| SSH | 22 | control plane IP and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | control plane IP and Management machine |
Bidirectional | Management of the appliance VM. |
| HTTPS | 443 | private cloud control plane address and Management machine |
Management machine needs outbound connection. | Communication with control plane (ex: VMware vCenter address). |
Note
To configure SSL proxy and to view the exclusion list for no proxy, see Additional network requirements.
In addition, SCVMM requires the following exception:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SCVMM Management Server | 443 | URL of the SCVMM management server. | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
| WinRM | WinRM Port numbers (Default: 5985 and 5986). | URL of the WinRM service. | IPs in the IP Pool used by the Appliance VM and control plane need connection with the VMM server. | Used by the SCVMM server to communicate with the Appliance VM. |
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).
Azure role/permission requirements
The minimum Azure roles required for operations related to Arc-enabled SCVMM are as follows:
| Operation | Minimum role required | Scope |
|---|---|---|
| Onboarding your SCVMM Management Server to Arc | Azure Arc SCVMM Private Clouds Onboarding | On the subscription or resource group into which you want to onboard |
| Administering Arc-enabled SCVMM | Azure Arc SCVMM Administrator | On the subscription or resource group where SCVMM management server resource is created |
| VM Provisioning | Azure Arc SCVMM Private Cloud User | On the subscription or resource group that contains the SCVMM cloud, datastore, and virtual network resources, or on the resources themselves |
| VM Provisioning | Azure Arc SCVMM VM Contributor | On the subscription or resource group where you want to provision VMs |
| VM Operations | Azure Arc SCVMM VM Contributor | On the subscription or resource group that contains the VM, or on the VM itself |
Any roles with higher permissions on the same scope, such as Owner or Contributor, will also allow you to perform the operations listed above.
Azure connected machine agent (Guest Management) requirements
Ensure the following before you install Arc agents at scale for SCVMM VMs:
- The Resource Bridge must be in a running state.
- The SCVMM management server must be in a connected state.
- The user account must have permissions listed in Azure Arc-enabled SCVMM Administrator role.
- All the target machines are:
- Powered on and the resource bridge has network connectivity to the host running the VM.
- Running a supported operating system.
- Able to connect through the firewall to communicate over the Internet and these URLs aren't blocked.
Supported SCVMM versions
Azure Arc-enabled SCVMM supports direct installation of Arc agents in VMs managed by:
- SCVMM 2022 UR1 or later versions of SCVMM server or console
- SCVMM 2019 UR5 or later versions of SCVMM server or console
For VMs managed by other SCVMM versions, install Arc agents through the script.
Important
We recommend maintaining the SCVMM management server and the SCVMM console in the same Long-Term Servicing Channel (LTSC) and Update Rollup (UR) version.
Supported operating systems
Azure Arc-enabled SCVMM supports direct installation of Arc agents in VMs running Windows Server 2022, 2019, 2016, 2012R2, Windows 10, and Windows 11 operating systems. For other Windows and Linux operating systems, install Arc agents through the script.
Software requirements
Windows operating systems:
- Microsoft recommends running the latest version, Windows Management Framework 5.1.
Linux operating systems:
- systemd
- wget (to download the installation script)
- openssl
- gnupg (Debian-based systems, only)
Networking requirements
The following firewall URL exceptions are required for the Azure Arc agents:
| URL | Description |
|---|---|
aka.ms |
Used to resolve the download script during installation |
packages.microsoft.com |
Used to download the Linux installation package |
download.microsoft.com |
Used to download the Windows installation package |
login.windows.net |
Microsoft Entra ID |
login.microsoftonline.com |
Microsoft Entra ID |
pas.windows.net |
Microsoft Entra ID |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource |
*.his.arc.azure.com |
Metadata and hybrid identity services |
*.guestconfiguration.azure.com |
Extension management and guest configuration services |
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com |
Notification service for extension and connectivity scenarios |
azgn*.servicebus.windows.net |
Notification service for extension and connectivity scenarios |
*.servicebus.windows.net |
For Windows Admin Center and SSH scenarios |
*.blob.core.windows.net |
Download source for Azure Arc-enabled servers extensions |
dc.services.visualstudio.com |
Agent telemetry |
Next steps
Connect your System Center Virtual Machine Manager management server to Azure Arc.