Merge pull request #206016 from rpsqrd/ryanpu-arc-mooncake

Added Azure China information for Arc-enabled servers

Author: v-stsavell

articles/azure-arc/servers/agent-release-notes.md

@@ -2,7 +2,7 @@
 title: What's new with Azure Arc-enabled servers agent
 description: This article has release notes for Azure Arc-enabled servers agent. For many of the summarized issues, there are links to more details.
 ms.topic: overview
-ms.date: 07/05/2022
+ms.date: 07/26/2022
 ms.custom: references_regions
 ---
 
@@ -24,6 +24,7 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite
 
 ### New features
 
+- Added support for connecting the agent to the Azure China cloud
 - Added support for Debian 10
 - Updates to the [instance metadata](agent-overview.md#instance-metadata) collected on each machine:
   - GCP VM OS is no longer collected

articles/azure-arc/servers/network-requirements.md

@@ -1,7 +1,7 @@
 ---
 title: Connected Machine agent network requirements
 description: Learn about the networking requirements for using the Connected Machine agent for Azure Arc-enabled servers.
-ms.date: 06/09/2022
+ms.date: 07/26/2022
 ms.topic: conceptual 
 ---
 
@@ -39,7 +39,7 @@ For more information, see [Virtual network service tags](../../virtual-network/s
 
 The table below lists the URLs that must be available in order to install and use the Connected Machine agent.
 
-# [Azure Cloud](#tab/azure-cloud)
+### [Azure Cloud](#tab/azure-cloud)
 
 | Agent resource | Description | When required| Endpoint used with private link |
 |---------|---------|--------|---------|
@@ -58,7 +58,7 @@ The table below lists the URLs that must be available in order to install and us
 |`*.blob.core.windows.net`|Download source for Azure Arc-enabled servers extensions|Always, except when using private endpoints| Not used when private link is configured |
 |`dc.services.visualstudio.com`|Agent telemetry|Optional| Public |
 
-# [Azure Government](#tab/azure-government)
+### [Azure Government](#tab/azure-government)
 
 | Agent resource | Description | When required| Endpoint used with private link |
 |---------|---------|--------|---------|
@@ -73,6 +73,30 @@ The table below lists the URLs that must be available in order to install and us
 |`*.blob.core.usgovcloudapi.net`|Download source for Azure Arc-enabled servers extensions|Always, except when using private endpoints| Not used when private link is configured |
 |`dc.applicationinsights.us`|Agent telemetry|Optional| Public |
 
+### [Azure China](#tab/azure-china)
+
+> [!NOTE]
+> Private link is not available for Azure Arc-enabled servers in Azure China regions.
+
+| Agent resource | Description | When required|
+|---------|---------|--------|
+|`aka.ms`|Used to resolve the download script during installation|At installation time, only|
+|`download.microsoft.com`|Used to download the Windows installation package|At installation time, only|
+|`packages.microsoft.com`|Used to download the Linux installation package|At installation time, only|
+|`login.chinacloudapi.cn`|Azure Active Directory|Always|
+|`login.partner.chinacloudapi.cn`|Azure Active Directory|Always|
+|`pas.chinacloudapi.cn`|Azure Active Directory|Always|
+|`management.chinacloudapi.cn`|Azure Resource Manager - to create or delete the Arc server resource|When connecting or disconnecting a server, only|
+|`*.his.arc.azure.cn`|Metadata and hybrid identity services|Always|
+|`*.guestconfiguration.azure.cn`| Extension management and guest configuration services |Always|
+|`guestnotificationservice.azure.cn`, `*.guestnotificationservice.azure.cn`|Notification service for extension and connectivity scenarios|Always|
+|`azgn*.servicebus.chinacloudapi.cn`|Notification service for extension and connectivity scenarios|Always|
+|`*.servicebus.chinacloudapi.cn`|For Windows Admin Center and SSH scenarios|If using SSH or Windows Admin Center from Azure|
+|`*.blob.core.chinacloudapi.cn`|Download source for Azure Arc-enabled servers extensions|Always, except when using private endpoints|
+|`dc.applicationinsights.azure.cn`|Agent telemetry|Optional|
+
+---
+
 ## Transport Layer Security 1.2 protocol
 
 To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**.

articles/azure-arc/servers/private-link-security.md

@@ -2,7 +2,7 @@
 title: Use Azure Private Link to securely connect servers to Azure Arc
 description: Learn how to use Azure Private Link to securely connect networks to Azure Arc.
 ms.topic: conceptual
-ms.date: 05/04/2022
+ms.date: 07/26/2022
 ---
 
 # Use Azure Private Link to securely connect servers to Azure Arc
@@ -59,6 +59,7 @@ The Azure Arc-enabled servers Private Link Scope object has a number of limits y
 - The Azure Arc-enabled server and Azure Arc Private Link Scope must be in the same Azure region. The Private Endpoint and the virtual network must also be in the same Azure region, but this region can be different from that of your Azure Arc Private Link Scope and Arc-enabled server.
 - Network traffic to Azure Active Directory and Azure Resource Manager does not traverse the Azure Arc Private Link Scope and will continue to use your default network route to the internet. You can optionally [configure a resource management private link](../../azure-resource-manager/management/create-private-link-access-portal.md) to send Azure Resource Manager traffic to a private endpoint.
 - Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network.
+- Private link for Azure Arc-enabled servers is not currently available in Azure China
 
 ## Planning your Private Link setup
 
@@ -85,7 +86,7 @@ This article assumes you have already set up your ExpressRoute circuit or site-t
 
 ## Network configuration
 
-Azure Arc-enabled servers integrates with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints.
+Azure Arc-enabled servers integrate with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints.
 
 There are two ways you can achieve this: