Merge pull request #266435 from JnHs/jh-arc-rbnetreqk8

display k8s requirements

Author: American-Dipper

articles/azure-arc/kubernetes/includes/network-requirements-azure-china.md

@@ -0,0 +1,26 @@
+---
+ms.service: azure-arc
+ms.topic: include
+ms.date: 02/15/2024
+---
+
+> [!IMPORTANT]
+> Azure Arc agents require the following outbound URLs on `https://:443` to function.
+> For `*.servicebus.chinacloudapi.cn`, websockets need to be enabled for outbound access on firewall and proxy.
+
+| Endpoint (DNS) | Description |
+| ----------------- | ------------- |
+| `https://management.chinacloudapi.cn` | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.cn` | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.chinacloudapi.cn`<br/>`https://<region>.login.chinacloudapi.cn`<br/>`login.partner.microsoftonline.cn`| Required to fetch and update Azure Resource Manager tokens. |
+| `mcr.azk8s.cn` | Required to pull container images for Azure Arc agents.          |
+| `https://gbl.his.arc.azure.cn` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
+| `https://*.his.arc.azure.cn` |  Required to pull system-assigned Managed Identity certificates. |
+|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
+|`guestnotificationservice.azure.cn`<br/>`*.guestnotificationservice.azure.cn`<br/>`sts.chinacloudapi.cn`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`*.servicebus.chinacloudapi.cn` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`https://graph.chinacloudapi.cn/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
+|`*.arc.azure.cn` | Required to manage connected clusters in Azure portal.|
+|`https://<region>.obo.arc.azure.cn:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
+|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
+|`quay.azk8s.cn`<br/>`registryk8s.azk8s.cn`<br/>`k8sgcr.azk8s.cn`<br/>`usgcr.azk8s.cn`<br/>`dockerhub.azk8s.cn/<repo-name>/<image-name>:<version>`|Container registry proxy servers for Azure China VMs.|

articles/azure-arc/kubernetes/includes/network-requirements-azure-cloud.md

@@ -0,0 +1,33 @@
+---
+ms.service: azure-arc
+ms.topic: include
+ms.date: 02/15/2024
+---
+
+> [!IMPORTANT]
+> Azure Arc agents require the following outbound URLs on `https://:443` to function.
+> For `*.servicebus.windows.net`, websockets need to be enabled for outbound access on firewall and proxy.
+
+| Endpoint (DNS) | Description |
+| ----------------- | ------------- |
+| `https://management.azure.com` | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.com` | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.microsoftonline.com`<br/>`https://<region>.login.microsoft.com`<br/>`login.windows.net`| Required to fetch and update Azure Resource Manager tokens. |
+| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.        |
+| `https://gbl.his.arc.azure.com` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
+| `https://*.his.arc.azure.com` |  Required to pull system-assigned Managed Identity certificates. |
+|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
+|`guestnotificationservice.azure.com`<br/>`*.guestnotificationservice.azure.com`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`*.servicebus.windows.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
+| `*.arc.azure.net`| Required to manage connected clusters in Azure portal. |
+|`https://<region>.obo.arc.azure.com:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
+|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
+
+To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command:
+
+```rest
+GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
+```
+
+[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]

articles/azure-arc/kubernetes/includes/network-requirements-azure-government.md

@@ -0,0 +1,32 @@
+---
+ms.service: azure-arc
+ms.topic: include
+ms.date: 02/15/2024
+---
+
+> [!IMPORTANT]
+> Azure Arc agents require the following outbound URLs on `https://:443` to function.
+> For `*.servicebus.usgovcloudapi.net`, websockets need to be enabled for outbound access on firewall and proxy.
+
+| Endpoint (DNS) | Description |
+| ----------------- | ------------- |
+|`https://management.usgovcloudapi.net`  | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.us` | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.microsoftonline.us`<br/>`<region>.login.microsoftonline.us` | Required to fetch and update Azure Resource Manager tokens. |
+| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.       |
+| `https://gbl.his.arc.azure.us` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
+| `https://usgv.his.arc.azure.us` |  Required to pull system-assigned Managed Identity certificates. |
+|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
+|`guestnotificationservice.azure.us`<br/>`*.guestnotificationservice.azure.us`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`*.servicebus.usgovcloudapi.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
+|`https://usgovvirginia.obo.arc.azure.us:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
+|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
+
+To translate the `*.servicebus.usgovcloudapi.net` wildcard into specific endpoints, use the command:
+
+```rest
+GET https://guestnotificationservice.azure.us/urls/allowlist?api-version=2020-01-01&location=region
+```
+
+[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]

articles/azure-arc/kubernetes/includes/network-requirements.md

@@ -1,87 +1,17 @@
 ---
 ms.service: azure-arc
 ms.topic: include
-ms.date: 09/28/2023
+ms.date: 02/15/2024
 ---
 
 ### [Azure Cloud](#tab/azure-cloud)
 
-> [!IMPORTANT]
-> Azure Arc agents require the following outbound URLs on `https://:443` to function.
-> For `*.servicebus.windows.net`, websockets need to be enabled for outbound access on firewall and proxy.
-
-| Endpoint (DNS) | Description |
-| ----------------- | ------------- |
-| `https://management.azure.com` | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.com` | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.microsoftonline.com`<br/>`https://<region>.login.microsoft.com`<br/>`login.windows.net`| Required to fetch and update Azure Resource Manager tokens. |
-| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.        |
-| `https://gbl.his.arc.azure.com` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
-| `https://*.his.arc.azure.com` |  Required to pull system-assigned Managed Identity certificates. |
-|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
-|`guestnotificationservice.azure.com`<br/>`*.guestnotificationservice.azure.com`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`*.servicebus.windows.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
-| `*.arc.azure.net`| Required to manage connected clusters in Azure portal. |
-|`https://<region>.obo.arc.azure.com:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
-|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
-
-To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command:
-
-```rest
-GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>
-```
-
-[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]
+[!INCLUDE [network-requirements-azure-cloud.md](network-requirements-azure-cloud.md)]
 
 ### [Azure Government](#tab/azure-government)
 
-> [!IMPORTANT]
-> Azure Arc agents require the following outbound URLs on `https://:443` to function.
-> For `*.servicebus.usgovcloudapi.net`, websockets need to be enabled for outbound access on firewall and proxy.
-
-| Endpoint (DNS) | Description |
-| ----------------- | ------------- |
-|`https://management.usgovcloudapi.net`  | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.us` | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.microsoftonline.us`<br/>`<region>.login.microsoftonline.us` | Required to fetch and update Azure Resource Manager tokens. |
-| `https://mcr.microsoft.com`<br/>`https://*.data.mcr.microsoft.com` | Required to pull container images for Azure Arc agents.       |
-| `https://gbl.his.arc.azure.us` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
-| `https://usgv.his.arc.azure.us` |  Required to pull system-assigned Managed Identity certificates. |
-|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
-|`guestnotificationservice.azure.us`<br/>`*.guestnotificationservice.azure.us`<br/>`sts.windows.net`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`*.servicebus.usgovcloudapi.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`https://graph.microsoft.com/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
-|`https://usgovvirginia.obo.arc.azure.us:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
-|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
-
-To translate the `*.servicebus.usgovcloudapi.net` wildcard into specific endpoints, use the command:
-
-```rest
-GET https://guestnotificationservice.azure.us/urls/allowlist?api-version=2020-01-01&location=region
-```
-
-[!INCLUDE [arc-region-note](../../includes/arc-region-note.md)]
+[!INCLUDE [network-requirements-azure-government.md](network-requirements-azure-government.md)]
 
 #### [Microsoft Azure operated by 21Vianet](#tab/azure-china)
 
-> [!IMPORTANT]
-> Azure Arc agents require the following outbound URLs on `https://:443` to function.
-> For `*.servicebus.chinacloudapi.cn`, websockets need to be enabled for outbound access on firewall and proxy.
-
-| Endpoint (DNS) | Description |
-| ----------------- | ------------- |
-| `https://management.chinacloudapi.cn` | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.cn` | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.chinacloudapi.cn`<br/>`https://<region>.login.chinacloudapi.cn`<br/>`login.partner.microsoftonline.cn`| Required to fetch and update Azure Resource Manager tokens. |
-| `mcr.azk8s.cn` | Required to pull container images for Azure Arc agents.          |
-| `https://gbl.his.arc.azure.cn` |  Required to get the regional endpoint for pulling system-assigned Managed Identity certificates. |
-| `https://*.his.arc.azure.cn` |  Required to pull system-assigned Managed Identity certificates. |
-|`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
-|`guestnotificationservice.azure.cn`<br/>`*.guestnotificationservice.azure.cn`<br/>`sts.chinacloudapi.cn`<br/>`https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`*.servicebus.chinacloudapi.cn` | For [Cluster Connect](../cluster-connect.md) and for [Custom Location](../custom-locations.md) based scenarios. |
-|`https://graph.chinacloudapi.cn/` | Required when [Azure RBAC](../azure-rbac.md) is configured. |
-|`*.arc.azure.cn` | Required to manage connected clusters in Azure portal.|
-|`https://<region>.obo.arc.azure.cn:8084/` | Required when [Cluster Connect](../cluster-connect.md) is configured. |
-|`dl.k8s.io`| Required when [automatic agent upgrade](../agent-upgrade.md#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) is enabled. |
-|`quay.azk8s.cn`<br/>`registryk8s.azk8s.cn`<br/>`k8sgcr.azk8s.cn`<br/>`usgcr.azk8s.cn`<br/>`dockerhub.azk8s.cn/<repo-name>/<image-name>:<version>`|Container registry proxy servers for Azure China VMs.|
+[!INCLUDE [network-requirements-azure-china.md](network-requirements-azure-china.md)]

articles/azure-arc/network-requirements-consolidated.md

@@ -19,6 +19,7 @@ Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernete
 - Azure Arc-enabled App services
 - Azure Arc-enabled Machine Learning
 - Azure Arc-enabled data services (direct connectivity mode only)
+- Azure Arc resource bridge
 
 [!INCLUDE [network-requirements](kubernetes/includes/network-requirements.md)]
 

articles/azure-arc/resource-bridge/includes/network-requirements.md

@@ -1,6 +1,6 @@
 ---
 ms.topic: include
-ms.date: 06/02/2023
+ms.date: 02/15/2024
 ---
 
 ### Outbound connectivity
@@ -9,9 +9,6 @@ The firewall and proxy URLs below must be allowlisted in order to enable communi
 
 ### Firewall/Proxy URL allowlist
 
->[!Note]
->To configure SSL proxy and to view the exclusion list for no proxy, see [Additional network requirements](/azure/azure-arc/resource-bridge/network-requirements#additional-network-requirements).
-
 |**Service**|**Port**|**URL**|**Direction**|**Notes**|
 |--|--|--|--|--|
 |SFS API endpoint | 443 | `msk8s.api.cdp.microsoft.com` | Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
@@ -31,4 +28,4 @@ The firewall and proxy URLs below must be allowlisted in order to enable communi
 |Python package| 443 | `*.pypi.org`| Management machine needs outbound connection. | Validate Kubernetes and Python versions.|
 |Azure CLI| 443 | `*.pythonhosted.org`| Management machine needs outbound connection. | Python packages for Azure CLI installation.|
 |Diagnostic data | 443 | `gcs.prod.monitoring.core.windows.net`	|	Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
-|Windows NTP Server| 123 | `time.windows.com` | Appliance VM & Management machine (if HyperV default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP).|
+|Windows NTP Server| 123 | `time.windows.com` | Appliance VM & Management machine (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP).|

articles/azure-arc/resource-bridge/network-requirements.md

@@ -2,7 +2,7 @@
 title: Azure Arc resource bridge network requirements
 description: Learn about network requirements for Azure Arc resource bridge including URLs that must be allowlisted.
 ms.topic: conceptual
-ms.date: 11/03/2023
+ms.date: 02/15/2024
 ---
 
 # Azure Arc resource bridge network requirements
@@ -17,9 +17,9 @@ Arc resource bridge communicates outbound securely to Azure Arc over TCP port 44
 
 [!INCLUDE [network-requirements](includes/network-requirements.md)]
 
-## Additional network requirements
+In addition, Arc resource bridge requires connectivity to the Arc-enabled Kubernetes endpoints shown here.
 
-In addition, Arc resource bridge requires connectivity to the [Arc-enabled Kubernetes endpoints](../network-requirements-consolidated.md?tabs=azure-cloud).
+[!INCLUDE [network-requirements-azure-cloud](../kubernetes/includes/network-requirements-azure-cloud.md)]
 
 > [!NOTE]
 > The URLs listed here are required for Arc resource bridge only. Other Arc products (such as Arc-enabled VMware vSphere) may have additional required URLs. For details, see [Azure Arc network requirements](../network-requirements-consolidated.md).