Merge pull request #18420 from sethmanheim/arcgtwy

Add new section on Arc Gateway

Author: sethmanheim

.openpublishing.redirection.aks.json

@@ -1489,6 +1489,11 @@
         "source_path": "AKS-Arc/tutorial-kubernetes-upgrade-cluster.md",
         "redirect_url": "/azure/aks/aksarc/overview",
         "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/aks-hci-network-system-requirements.md",
+        "redirect_url": "/azure/aks/aksarc/network-system-requirements",
+        "redirect_document_id": false
       }
     ]
   }

AKS-Arc/TOC.yml

@@ -25,7 +25,7 @@
     - name: Networking
       items:
       - name: Networking concepts and requirements
-        href: aks-hci-network-system-requirements.md
+        href: network-system-requirements.md
       - name: IP address planning
         href: aks-hci-ip-address-planning.md
       - name: Load balancer

AKS-Arc/arc-gateway-aks-arc.md

@@ -9,7 +9,7 @@ ms.reviewer: srikantsarwa
 ms.lastreviewed: 07/15/2025
 ---
 
-# Simplify network configuration requirements with AKS Arc Gateway (preview)
+# Simplify network configuration requirements with Azure Arc gateway (preview)
 
 If you use enterprise proxies to manage outbound traffic, Azure Arc gateway can help simplify the process of enabling connectivity.
 

AKS-Arc/aks-hci-network-system-requirements.md renamed to AKS-Arc/network-system-requirements.md

@@ -2,11 +2,11 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 07/02/2025
+ms.date: 07/17/2025
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: srikantsarwa
-ms.lastreviewed: 07/10/2025
+ms.lastreviewed: 07/17/2025
 ---
 
 # AKS enabled by Azure Arc network requirements
@@ -86,6 +86,22 @@ When you deploy Azure Local, you allocate a contiguous block of at least [six st
 | 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 | 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 
+## Use Azure Arc gateway (preview) with Azure Local
+
+If you use [Arc gateway](/azure/azure-local/deploy/deployment-azure-arc-gateway-overview) to deploy your Azure Local cluster infrastructure, make sure that connectivity between the AKS subnet and the cluster IP is allowed on port **40343**, as follows:
+
+| Destination port | Destination                     | Source                          | Description                                                                 | Bi-directional cross-VLAN networking notes |
+|------------------|---------------------------------|---------------------------------|-----------------------------------------------------------------------------|--------------------------------------------|
+| **40343**        | Cluster IP address |  Logical network used for AKS Arc VMs | Required only when the Azure Local cluster is configured with Arc Gateway for outbound connectivity. | If you use separate VLANs or subnets, ensure that the AKS Arc VMs can reach the Azure Local cluster IP address on port **40343**, and vice versa. |
+
+### Retrieve the Azure Local cluster IP address
+
+You can run the following PowerShell commands on the cluster to get the IP address of the Azure Local cluster:
+
+```powershell
+Get-ClusterResource -Name "Cluster IP Address" | Get-ClusterParameter -Name Address | Select-Object -Property Value
+```
+
 ## Next steps
 
 [IP address planning and considerations for Kubernetes clusters and applications](aks-hci-ip-address-planning.md)

AKS-Arc/network-validation-errors.md

@@ -4,9 +4,9 @@ description: Learn how to troubleshoot general network validation errors in AKS
 author: sethmanheim
 ms.author: sethm
 ms.topic: troubleshooting
-ms.date: 05/07/2025
-ms.reviewer: pradwivedi
-ms.lastreviewed: 05/06/2025
+ms.date: 07/17/2025
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/16/2025
 
 ---
 
@@ -60,6 +60,32 @@ This error indicates that the required URLs are not reachable from the AKS clust
 
 To resolve this error, ensure that the logical network IP addresses have outbound internet access. If there's a firewall, ensure that the [AKS required URLs](aks-hci-network-system-requirements.md#firewall-url-exceptions) are accessible from the Arc VM logical network.
 
+## InternetConnectivityError (in Arc Gateway scenario)
+
+Error: Network validation failed during cluster creation.
+
+### Description
+
+Detailed message: `Not able to connect to https://mcr.microsoft.com. Error returned: action failed after 5 attempts: Get "https://mcr.microsoft.com": proxyconnect tcp: dial tcp 192.168.2.100:40343: connect: connection refused`.
+
+### Causes of failure
+
+- The control plane VM can't reach the Azure Local cluster IP on port **40343**, which is required when Arc Gateway is enabled.
+- The firewall or network security rules block traffic between the AKS subnet and the cluster IP.
+- Proxy settings are incorrect, or the proxy does not allow connections to `mcr.microsoft.com`.
+
+### Mitigation
+
+To resolve this error, you can take the following steps:
+
+- Ensure that the **AKS subnet has connectivity to the Azure Local Cluster IP on port `40343`**.  
+- Verify that the Arc Gateway service on the Azure Local Cluster is running and listening on port `40343`.  
+- Check firewall or NSG rules to ensure that traffic between the AKS VMs and the Cluster IP on `40343` is allowed.  
+- Confirm that proxy settings (if used) are correct and that the proxy can forward requests to `https://mcr.microsoft.com`.  
+- Test connectivity to `https://mcr.microsoft.com` from the control plane VM, either directly or via the configured proxy.
+
+For more information, see [Use Azure Arc Gateway with Azure Local](aks-hci-network-system-requirements.md#use-azure-arc-gateway-preview-with-azure-local).
+
 ## VMNotReachableError
 
 Error: Network validation failed during cluster creation.