Merge pull request #229603 from JnHs/jh-arck8-qnetreq

separate network requirements

Author: JamesJBarnett

articles/aks/dapr-settings.md

@@ -198,7 +198,7 @@ az k8s-extension upgrade --cluster-type managedClusters \
 
 ## Meet network requirements
 
-The Dapr extension for AKS and Arc for Kubernetes requires outbound URLs on `https://:443` to function. In addition to the `https://mcr.microsoft.com/daprio` URL for pulling Dapr artifacts, verify you've included the [outbound URLs required for AKS or Arc for Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md#meet-network-requirements). 
+The Dapr extension for AKS and Arc for Kubernetes requires outbound URLs on `https://:443` to function. In addition to the `https://mcr.microsoft.com/daprio` URL for pulling Dapr artifacts, verify you've included the [outbound URLs required for AKS or Arc for Kubernetes](../azure-arc/kubernetes/network-requirements.md). 
 
 ## Next Steps
 

articles/azure-arc/kubernetes/cluster-connect.md

@@ -40,7 +40,7 @@ Before you begin, review the [conceptual overview of the cluster connect feature
   - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).
   - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.
 
-- Enable the below endpoints for outbound access in addition to the ones mentioned under [connecting a Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md#meet-network-requirements):
+- In addition to meeting the [network requirements for Arc-enabled Kubernetes](network-requirements.md), enable these endpoints for outbound access:
 
   | Endpoint | Port |
   |----------------|-------|
@@ -68,7 +68,7 @@ Before you begin, review the [conceptual overview of the cluster connect feature
   - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).
   - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.
 
-- Enable the below endpoints for outbound access in addition to the ones mentioned under [connecting a Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md#meet-network-requirements):
+- In addition to meeting the [network requirements for Arc-enabled Kubernetes](network-requirements.md), enable these endpoints for outbound access:
 
   | Endpoint | Port |
   |----------------|-------|

articles/azure-arc/kubernetes/conceptual-agent-overview.md

@@ -13,7 +13,7 @@ Azure Arc agents are deployed on Kubernetes clusters when you [connect them to A
 
 ## Deploy agents to your cluster
 
-Most on-premises datacenters enforce strict network rules that prevent inbound communication on the network boundary firewall. Azure Arc-enabled Kubernetes works with these restrictions by not requiring inbound ports on the firewall. Azure Arc agents require outbound communication to a [set list of network endpoints](quickstart-connect-cluster.md#meet-network-requirements).
+Most on-premises datacenters enforce strict network rules that prevent inbound communication on the network boundary firewall. Azure Arc-enabled Kubernetes works with these restrictions by not requiring inbound ports on the firewall. Azure Arc agents require outbound communication to a [set list of network endpoints](network-requirements.md).
 
 :::image type="content" source="media/architectural-overview.png" alt-text="Diagram showing an architectural overview of the Azure Arc-enabled Kubernetes agents." lightbox="media/architectural-overview.png":::
 

articles/azure-arc/kubernetes/diagnose-connection-issues.md

@@ -53,7 +53,7 @@ Be sure that the Microsoft.Kubernetes, Microsoft.KubernetesConfiguration, and Mi
 
 ### Are all network requirements met?
 
-Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.
+Review the [network requirements](network-requirements.md) and ensure that no required endpoints are blocked.
 
 ### Are all pods in the `azure-arc` namespace running?
 
@@ -99,7 +99,7 @@ az connectedk8s connect --name <cluster-name> --resource-group <resource-group>
 
 ### Is the proxy server able to reach required network endpoints?
 
-Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.
+Review the [network requirements](network-requirements.md) and ensure that no required endpoints are blocked.
 
 ### Is the proxy server only using HTTP?
 

articles/azure-arc/kubernetes/includes/network-requirements.md

@@ -1,7 +1,7 @@
 ---
 ms.service: azure-arc
 ms.topic: include
-ms.date: 12/13/2022
+ms.date: 03/07/2023
 ---
 
 ### [Azure Cloud](#tab/azure-cloud)
@@ -21,8 +21,8 @@ ms.date: 12/13/2022
 |`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
 |`guestnotificationservice.azure.com`<br/>`*.guestnotificationservice.azure.com`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
 |`*.servicebus.windows.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured |
-| `*.arc.azure.net`| To manage connected clusters in Azure portal. | 
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
+| `*.arc.azure.net`| Required to manage connected clusters in Azure portal. |
 
 To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command:
 
@@ -49,7 +49,7 @@ GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-0
 |`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
 |`guestnotificationservice.azure.us`<br/>`*.guestnotificationservice.azure.us`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
 |`*.servicebus.usgovcloudapi.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
 
 To translate the `*.servicebus.usgovcloudapi.net` wildcard into specific endpoints, use the command:
 

articles/azure-arc/kubernetes/network-requirements.md

@@ -0,0 +1,24 @@
+---
+title: Azure Arc-enabled Kubernetes network requirements
+description: Learn about the networking requirements to connect Kubernetes clusters to Azure Arc.
+ms.date: 03/07/2023
+ms.topic: conceptual 
+ms.custom: references-regions
+---
+
+# Azure Arc-enabled Kubernetes network requirements
+
+This topic describes the networking requirements for connecting a Kubernetes cluster to Azure Arc and supporting various Arc-enabled Kubernetes scenarios.
+
+## Details
+
+[!INCLUDE [network-requirement-principles](../includes/network-requirement-principles.md)]
+
+[!INCLUDE [network-requirements](includes/network-requirements.md)]
+
+For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).
+
+## Next steps
+
+- Use our [quickstart](quickstart-connect-cluster.md) to connect your cluster.
+- Review [frequently asked questions](faq.md) about Arc-enabled Kubernetes.

articles/azure-arc/kubernetes/plan-at-scale-deployment.md

@@ -30,7 +30,7 @@ The purpose of this article is to ensure you're prepared for a successful deploy
     - Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
     - Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
 
-* Your machines have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. More details can be found under [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements).
+* Your machines have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. More details can be found under [network prerequisites](network-requirements.md).
 
 * A `kubeconfig` file pointing to the cluster you want to connect to Azure Arc.
 * 'Read' and 'Write' permissions for the user or service principal creating the Azure Arc-enabled Kubernetes resource type of `Microsoft.Kubernetes/connectedClusters`.

articles/azure-arc/kubernetes/quickstart-connect-cluster.md

@@ -15,6 +15,8 @@ For a conceptual look at connecting clusters to Azure Arc, see [Azure Arc-enable
 
 ## Prerequisites
 
+In addition to the prerequisites below, be sure to meet all [network requirements for Azure Arc-enabled Kubernetes](network-requirements.md).
+
 ### [Azure CLI](#tab/azure-cli)
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
@@ -133,14 +135,6 @@ For a conceptual look at connecting clusters to Azure Arc, see [Azure Arc-enable
 
 ---
 
-## Meet network requirements
-
-[!INCLUDE [network-requirement-principles](../includes/network-requirement-principles.md)]
-
-[!INCLUDE [network-requirements](includes/network-requirements.md)]
-
-For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).
-
 ## Create a resource group
 
 Run the following command:

articles/azure-arc/kubernetes/toc.yml

@@ -31,6 +31,8 @@
   items:
   - name: Agent overview
     href: conceptual-agent-overview.md
+  - name: Network requirements
+    href: network-requirements.md
   - name: Connectivity modes
     href: conceptual-connectivity-modes.md
   - name: Data exchange between cluster and Azure

articles/azure-arc/kubernetes/troubleshooting.md

@@ -78,13 +78,13 @@ For more information, see [Debugging DNS Resolution](https://kubernetes.io/docs/
 
 ### Outbound network connectivity issues
 
-Issues with outbound network connectivity from the cluster may arise for different reasons. First make sure all of the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) have been met.
+Issues with outbound network connectivity from the cluster may arise for different reasons. First make sure all of the [network requirements](network-requirements.md) have been met.
 
 If you encounter this issue, and your cluster is behind an outbound proxy server, make sure you have passed proxy parameters during the onboarding of your cluster and that the proxy is configured correctly. For more information, see [Connect using an outbound proxy server](quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server).
 
 ### Unable to retrieve MSI certificate
 
-Problems retrieving the MSI certificate are usually due to network issues. Check to make sure all of the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) have been met, then try again.
+Problems retrieving the MSI certificate are usually due to network issues. Check to make sure all of the [network requirements](network-requirements.md) have been met, then try again.
 
 ### Azure CLI is unable to download Helm chart for Azure Arc agents
 
@@ -183,7 +183,7 @@ To resolve this issue, try the following steps.
    name: azure-identity-certificate
    ```
 
-   To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Please also verify if all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) have been met.
+   To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Please also verify if all the [network prerequisites](network-requirements.md) have been met.
 
 4. If the `clusterconnect-agent` and the `config-agent` pods are running, but the `kube-aad-proxy` pod is missing, check your pod security policies. This pod uses the `azure-arc-kube-aad-proxy-sa` service account, which doesn't have admin permissions but requires the permission to mount host path.
 
@@ -487,7 +487,7 @@ az connectedk8s proxy -n AzureArcTest -g AzureArcTest
 Hybrid connection for the target resource does not exist. Agent might not have started successfully.
 ```
 
-Be sure to use the `connectedk8s` Azure CLI extension with version >= 1.2.0, then [connect your cluster again](quickstart-connect-cluster.md) to Azure Arc. Also, verify that you've met all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) needed for Arc-enabled Kubernetes.
+Be sure to use the `connectedk8s` Azure CLI extension with version >= 1.2.0, then [connect your cluster again](quickstart-connect-cluster.md) to Azure Arc. Also, verify that you've met all the [network prerequisites](network-requirements.md) needed for Arc-enabled Kubernetes.
 
 If your cluster is behind an outbound proxy or firewall, verify that websocket connections are enabled for `*.servicebus.windows.net`, which is required specifically for the [Cluster Connect](cluster-connect.md) feature.