Merge pull request #221577 from MicrosoftDocs/release-arc-endpoints

Draft: Consolidated Arc Endpoints

Author: huypub

articles/azure-arc/data/connectivity.md

@@ -73,174 +73,8 @@ Some Azure-attached services are only available when they can be directly reache
 
 ## Details on internet addresses, ports, encryption, and proxy server support
 
-There are three connections required to services available on the Internet. These connections include:
+[!INCLUDE [network-requirements](includes/network-requirements.md)]
 
-- [Microsoft Container Registry (MCR)](#microsoft-container-registry-mcr)
-- [Helm chart (direct connected mode)](#helm-chart-direct-connected-mode)
-- [Azure Resource Manager APIs](#azure-resource-manager-apis)
-- [Azure monitor APIs](#azure-monitor-apis)
-- [Azure Arc data processing service](#azure-arc-data-processing-service)
+## Additional network requirements
 
-All HTTPS connections to Azure and the Microsoft Container Registry are encrypted using SSL/TLS using officially signed and verifiable certificates.
-
-The following sections provide details for these connections. 
-
-### Microsoft Container Registry (MCR)
-
-The Microsoft Container Registry hosts the Azure Arc-enabled data services container images.  You can pull these images from MCR and push them to a private container registry and configure the data controller deployment process to pull the container images from that private container registry.
-
-#### Connection source
-
-The Kubernetes kubelet on each of the Kubernetes nodes pulling the container images.
-
-#### Connection target
-
-`mcr.microsoft.com`
-
-#### Protocol
-
-HTTPS
-
-#### Port
-
-443
-
-#### Can use proxy
-
-Yes
-
-#### Authentication
-
-None
-
-### Helm chart (direct connected mode)
-
-The Helm chart used to provision the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry.
-
-#### Connection source
-
-The Kubernetes kubelet on each of the Kubernetes nodes pulling the container images.
-
-#### Connection target
-
-`arcdataservicesrow1.azurecr.io`
-
-#### Protocol
-
-HTTPS
-
-#### Port
-
-443
-
-#### Can use proxy
-
-Yes
-
-#### Authentication
-
-None
-
-### Azure Resource Manager APIs
-Azure Data Studio, and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features.
-
-#### Connection source
-
-A computer running Azure Data Studio, or Azure CLI that is connecting to Azure.
-
-#### Connection target
-
-- `login.microsoftonline.com`
-- `management.azure.com`
-
-#### Protocol
-
-HTTPS
-
-#### Port
-
-443
-
-#### Can use proxy
-
-Yes
-
-To use proxy, verify that the agents meet the network requirements. See [Meet network requirements](../kubernetes/quickstart-connect-cluster.md#meet-network-requirements).
-
-#### Authentication 
-
-Azure Active Directory
-
-### Azure monitor APIs
-
-Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features.
-
-#### Connection source
-
-A computer running Azure CLI that is uploading monitoring metrics or logs to Azure Monitor.
-
-#### Connection target
-
-- `login.microsoftonline.com`
-- `management.azure.com`
-- `*.ods.opinsights.azure.com`
-- `*.oms.opinsights.azure.com`
-- `*.monitoring.azure.com`
-
-For example, to upload usage metrics data services will connect to `https://<azureRegion>.monitoring.azure.com/` where `<azureRegion>` is the region where data services is deployed.
-
-Likewise, data services will connect to the log analytics workspace at `https://<subscription_id>.ods.opinsights.azure.com` where `<subscription_id>` represents your Azure subscription.
-
-#### Protocol
-
-HTTPS
-
-#### Port
-
-443
-
-#### Can use proxy
-
-Yes
-
-#### Authentication 
-
-Azure Active Directory
-
-> [!NOTE]
-> For now, all browser HTTPS/443 connections to the data controller for running the command `az arcdata dc export` and Grafana and Kibana dashboards are SSL encrypted using self-signed certificates.  A feature will be available in the future that will allow you to provide your own certificates for encryption of these SSL connections.
-
-Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established.  Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.
-
-### Azure Arc data processing service
-
-Points to the data processing service endpoint in connection 
-
-#### Connection target
-
-- `san-af-eastus-prod.azurewebsites.net`
-- `san-af-eastus2-prod.azurewebsites.net`
-- `san-af-australiaeast-prod.azurewebsites.net`
-- `san-af-centralus-prod.azurewebsites.net`
-- `san-af-westus2-prod.azurewebsites.net`
-- `san-af-westeurope-prod.azurewebsites.net`
-- `san-af-southeastasia-prod.azurewebsites.net`
-- `san-af-koreacentral-prod.azurewebsites.net`
-- `san-af-northeurope-prod.azurewebsites.net`
-- `san-af-westeurope-prod.azurewebsites.net`
-- `san-af-uksouth-prod.azurewebsites.net`
-- `san-af-francecentral-prod.azurewebsites.net`
-
-#### Protocol
-
-HTTPS
-
-#### Can use proxy
-
-Yes
-
-To use proxy, verify that the agents meet the network requirements. See [Meet network requirements](../kubernetes/quickstart-connect-cluster.md#meet-network-requirements).
-
-#### Authentication
-
-None
+In addition, resource bridge (preview) requires [Arc-enabled Kubernetes endpoints](../network-requirements-consolidated.md#azure-arc-enabled-kubernetes-endpoints).

articles/azure-arc/data/includes/network-requirements.md

@@ -0,0 +1,23 @@
+---
+author: MikeRayMSFT
+ms.author: mikeray
+ms.service: azure-arc
+ms.topic: include
+ms.date: 12/13/2022
+---
+
+
+|**Service**|**Port**|**URL**|**Direction**|**Notes**|
+|--|--|--|--|--|
+| Helm chart (direct connected mode only) | 443 | `arcdataservicesrow1.azurecr.io` | Outbound |Provisions the Azure Arc data controller bootstrapper and cluster level objects, such as custom resource definitions, cluster roles, and cluster role bindings, is pulled from an Azure Container Registry. | 
+| Azure monitor APIs <sup>*</sup> | 443 |`*.ods.opinsights.azure.com`<br/>`*.oms.opinsights.azure.com`<br/>`*.monitoring.azure.com` | Outbound | Azure Data Studio and Azure CLI connect to the Azure Resource Manager APIs to send and retrieve data to and from Azure for some features. See [Azure Monitor APIs](#azure-monitor-apis).
+| Azure Arc data processing service <sup>*</sup>| 443 |`san-af-<region>-prod.azurewebsites.net` | Outbound<br/> Inbound |
+
+<sup>*</sup> Requirement depends on deployment mode:
+
+  - For direct mode, the controller pod on the Kubernetes cluster needs to have outbound connectivity to the endpoints to send the logs, metrics, inventory, and billing information to Azure Monitor/Data Processing Service. 
+  - For indirect mode, the machine that runs `az arcdata dc upload` needs to have the outbound connectivity to Azure Monitor and Data Processing Service.
+
+### Azure Monitor APIs
+
+Connectivity from Azure Data Studio to the Kubernetes API server uses the Kubernetes authentication and encryption that you have established.  Each user that is using Azure Data Studio or CLI must have an authenticated connection to the Kubernetes API to perform many of the actions related to Azure Arc-enabled data services.

articles/azure-arc/data/overview.md

@@ -52,6 +52,8 @@ Many of the services such as self-service provisioning, automated backups/restor
 
 To see the regions that currently support Azure Arc-enabled data services, go to [Azure Products by Region - Azure Arc](https://azure.microsoft.com/global-infrastructure/services/?cdn=disable&products=azure-arc).
 
+[!INCLUDE [arc-region-note](../includes/arc-region-note.md)]
+
 ## Next steps
 
 > **Just want to try things out?**  

articles/azure-arc/includes/arc-region-note.md

@@ -0,0 +1,17 @@
+---
+author: MikeRayMSFT
+ms.author: mikeray
+ms.service: azure-arc
+ms.topic: include
+ms.date: 12/13/2022
+---
+
+To get the region segment of a regional endpoint, remove all spaces from the Azure region name. For example, *East US 2* region, the region name is `eastus2`.
+
+For example: `san-af-<region>-prod.azurewebsites.net` should be `san-af-eastus2-prod.azurewebsites.net` in the East US 2 region.
+
+To see a list of all regions, run this command:
+
+```azcli
+az account list-locations -o table
+```

articles/azure-arc/includes/network-requirement-principles.md

@@ -0,0 +1,13 @@
+---
+ms.service: azure-arc
+ms.topic: include
+ms.date: 12/13/2022
+---
+
+Generally, connectivity requirements include these principles:
+
+- All connections are TCP unless otherwise specified.
+- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
+- All connections are outbound unless otherwise specified.   
+
+To use a proxy, verify that the agents meet the network requirements in this article. 

articles/azure-arc/kubernetes/cluster-connect.md

@@ -88,6 +88,8 @@ Before you begin, review the [conceptual overview of the cluster connect feature
 
 ---
 
+[!INCLUDE [arc-region-note](../includes/arc-region-note.md)]
+
 ## Azure Active Directory authentication option
 
 ### [Azure CLI](#tab/azure-cli)

articles/azure-arc/kubernetes/includes/network-requirements.md

@@ -0,0 +1,67 @@
+---
+ms.service: azure-arc
+ms.topic: include
+ms.date: 12/13/2022
+---
+
+### [Azure Cloud](#tab/azure-cloud)
+
+> [!IMPORTANT]
+> Azure Arc agents require the following outbound URLs on `https://:443` to function.
+> For `*.servicebus.windows.net`, websockets need to be enabled for outbound access on firewall and proxy.
+
+| Endpoint (DNS) | Description |
+| ----------------- | ------------- |
+| `https://management.azure.com` | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.com` | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.microsoftonline.com`<br/>`https://<region>.login.microsoft.com`<br/>`login.windows.net`| Required to fetch and update Azure Resource Manager tokens. |
+| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.                                                                  |
+| `https://gbl.his.arc.azure.com` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
+| `https://*.his.arc.azure.com` |  Required to pull system-assigned Managed Identity certificates. |
+|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
+|`guestnotificationservice.azure.com`<br/>`*.guestnotificationservice.azure.com`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`*.servicebus.windows.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured |
+| `*.arc.azure.net`| To manage connected clusters in Azure portal. | 
+
+To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command:
+
+```rest
+GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>`. 
+```
+
+[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]
+
+### [Azure Government](#tab/azure-government)
+
+> [!IMPORTANT]
+> Azure Arc agents require the following outbound URLs on `https://:443` to function.
+> For `*.servicebus.usgovcloudapi.net`, websockets need to be enabled for outbound access on firewall and proxy.
+
+| Endpoint (DNS) | Description |
+| ----------------- | ------------- |
+|`https://management.usgovcloudapi.net`  | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.us` | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.microsoftonline.us`<br/>`<region>.login.microsoftonline.us` | Required to fetch and update Azure Resource Manager tokens. |
+| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.                                                                  |
+| `https://gbl.his.arc.azure.us` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
+| `https://usgv.his.arc.azure.us` |  Required to pull system-assigned Managed Identity certificates. |
+|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
+|`guestnotificationservice.azure.us`<br/>`*.guestnotificationservice.azure.us`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`*.servicebus.usgovcloudapi.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured |
+
+To translate the `*.servicebus.usgovcloudapi.net` wildcard into specific endpoints, use the command:
+
+```rest
+\GET https://guestnotificationservice.azure.us/urls/allowlist?api-version=2020-01-01&location=region
+```
+
+[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]
+
+#### [Azure China](#tab/azure-china)
+
+> [!NOTE]
+> Azure Arc-enabled Kubernetes is not available in Azure China regions at this time.
+
+---

articles/azure-arc/kubernetes/quickstart-connect-cluster.md

@@ -131,28 +131,11 @@ For a conceptual look at connecting clusters to Azure Arc, see [Azure Arc-enable
 
 ## Meet network requirements
 
-> [!IMPORTANT]
-> Azure Arc agents require the following outbound URLs on `https://:443` to function.
-> For `*.servicebus.windows.net` (for Azure Cloud) & `*.servicebus.usgovcloudapi.net` (for Azure US Government), websockets need to be enabled for outbound access on firewall and proxy.
-
-| Endpoint (DNS) | Description |
-| ----------------- | ------------- |
-| `https://management.azure.com` (for Azure Cloud), `https://management.usgovcloudapi.net` (for Azure US Government) | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.com` (for Azure Cloud), `https://<region>.dp.kubernetesconfiguration.azure.us` (for Azure US Government) | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.microsoftonline.com`, `https://<region>.login.microsoft.com`, `login.windows.net` (for Azure Cloud), `https://login.microsoftonline.us`, `<region>.login.microsoftonline.us` (for Azure US Government) | Required to fetch and update Azure Resource Manager tokens. |
-| `https://mcr.microsoft.com`, `https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.                                                                  |
-| `https://gbl.his.arc.azure.com` (for Azure Cloud), `https://gbl.his.arc.azure.us` (for Azure US Government) |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
-| `https://*.his.arc.azure.com` (for Azure Cloud), `https://usgv.his.arc.azure.us` (for Azure US Government) |  Required to pull system-assigned Managed Identity certificates. |
-|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
-|`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net`, `https://k8sconnectcsp.azureedge.net`(for Azure Cloud),  `guestnotificationservice.azure.us`, `*.guestnotificationservice.azure.us`, `sts.windows.net`, `https://k8sconnectcsp.azureedge.us` (for Azure US Government) | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |
-|`*.servicebus.windows.net`(for Azure Cloud), `*.servicebus.usgovcloudapi.net` (for Azure US Government) | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |
-|`https://graph.microsoft.com/` | Required when [Azure RBAC](azure-rbac.md) is configured |
+[!INCLUDE [network-requirement-principles](../includes/network-requirement-principles.md)]
 
-> [!NOTE]
-> For Azure Cloud to translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<location>`. For Azure US Government to translate the `*.servicebus.usgovcloudapi.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.us/urls/allowlist?api-version=2020-01-01&location=<location>`. Within these commands, the region must be specified for the `<location>` placeholder.
+[!INCLUDE [network-requirements](includes/network-requirements.md)]
 
-> [!IMPORTANT]
-> To view and manage connected clusters in the Azure portal, be sure that your network allows traffic to `*.arc.azure.net`.
+For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).
 
 ## Create a resource group