Merge pull request #18480 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-17 22:00 UTC

Author: learn-build-service-prod[bot]

.openpublishing.redirection.aks.json

@@ -1489,6 +1489,11 @@
         "source_path": "AKS-Arc/tutorial-kubernetes-upgrade-cluster.md",
         "redirect_url": "/azure/aks/aksarc/overview",
         "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/aks-hci-network-system-requirements.md",
+        "redirect_url": "/azure/aks/aksarc/network-system-requirements",
+        "redirect_document_id": false
       }
     ]
   }

AKS-Arc/TOC.yml

@@ -25,7 +25,7 @@
     - name: Networking
       items:
       - name: Networking concepts and requirements
-        href: aks-hci-network-system-requirements.md
+        href: network-system-requirements.md
       - name: IP address planning
         href: aks-hci-ip-address-planning.md
       - name: Load balancer

AKS-Arc/arc-gateway-aks-arc.md

@@ -9,7 +9,7 @@ ms.reviewer: srikantsarwa
 ms.lastreviewed: 07/15/2025
 ---
 
-# Simplify network configuration requirements with AKS Arc Gateway (preview)
+# Simplify network configuration requirements with Azure Arc gateway (preview)
 
 If you use enterprise proxies to manage outbound traffic, Azure Arc gateway can help simplify the process of enabling connectivity.
 

AKS-Arc/aks-hci-network-system-requirements.md renamed to AKS-Arc/network-system-requirements.md

@@ -2,11 +2,11 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 07/02/2025
+ms.date: 07/17/2025
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: srikantsarwa
-ms.lastreviewed: 07/10/2025
+ms.lastreviewed: 07/17/2025
 ---
 
 # AKS enabled by Azure Arc network requirements
@@ -86,6 +86,22 @@ When you deploy Azure Local, you allocate a contiguous block of at least [six st
 | 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 | 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 
+## Use Azure Arc gateway (preview) with Azure Local
+
+If you use [Arc gateway](/azure/azure-local/deploy/deployment-azure-arc-gateway-overview) to deploy your Azure Local cluster infrastructure, make sure that connectivity between the AKS subnet and the cluster IP is allowed on port **40343**, as follows:
+
+| Destination port | Destination                     | Source                          | Description                                                                 | Bi-directional cross-VLAN networking notes |
+|------------------|---------------------------------|---------------------------------|-----------------------------------------------------------------------------|--------------------------------------------|
+| **40343**        | Cluster IP address |  Logical network used for AKS Arc VMs | Required only when the Azure Local cluster is configured with Arc Gateway for outbound connectivity. | If you use separate VLANs or subnets, ensure that the AKS Arc VMs can reach the Azure Local cluster IP address on port **40343**, and vice versa. |
+
+### Retrieve the Azure Local cluster IP address
+
+You can run the following PowerShell commands on the cluster to get the IP address of the Azure Local cluster:
+
+```powershell
+Get-ClusterResource -Name "Cluster IP Address" | Get-ClusterParameter -Name Address | Select-Object -Property Value
+```
+
 ## Next steps
 
 [IP address planning and considerations for Kubernetes clusters and applications](aks-hci-ip-address-planning.md)

AKS-Arc/network-validation-errors.md

@@ -4,9 +4,9 @@ description: Learn how to troubleshoot general network validation errors in AKS
 author: sethmanheim
 ms.author: sethm
 ms.topic: troubleshooting
-ms.date: 05/07/2025
-ms.reviewer: pradwivedi
-ms.lastreviewed: 05/06/2025
+ms.date: 07/17/2025
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/16/2025
 
 ---
 
@@ -60,6 +60,32 @@ This error indicates that the required URLs are not reachable from the AKS clust
 
 To resolve this error, ensure that the logical network IP addresses have outbound internet access. If there's a firewall, ensure that the [AKS required URLs](aks-hci-network-system-requirements.md#firewall-url-exceptions) are accessible from the Arc VM logical network.
 
+## InternetConnectivityError (in Arc Gateway scenario)
+
+Error: Network validation failed during cluster creation.
+
+### Description
+
+Detailed message: `Not able to connect to https://mcr.microsoft.com. Error returned: action failed after 5 attempts: Get "https://mcr.microsoft.com": proxyconnect tcp: dial tcp 192.168.2.100:40343: connect: connection refused`.
+
+### Causes of failure
+
+- The control plane VM can't reach the Azure Local cluster IP on port **40343**, which is required when Arc Gateway is enabled.
+- The firewall or network security rules block traffic between the AKS subnet and the cluster IP.
+- Proxy settings are incorrect, or the proxy does not allow connections to `mcr.microsoft.com`.
+
+### Mitigation
+
+To resolve this error, you can take the following steps:
+
+- Ensure that the **AKS subnet has connectivity to the Azure Local Cluster IP on port `40343`**.  
+- Verify that the Arc Gateway service on the Azure Local Cluster is running and listening on port `40343`.  
+- Check firewall or NSG rules to ensure that traffic between the AKS VMs and the Cluster IP on `40343` is allowed.  
+- Confirm that proxy settings (if used) are correct and that the proxy can forward requests to `https://mcr.microsoft.com`.  
+- Test connectivity to `https://mcr.microsoft.com` from the control plane VM, either directly or via the configured proxy.
+
+For more information, see [Use Azure Arc Gateway with Azure Local](aks-hci-network-system-requirements.md#use-azure-arc-gateway-preview-with-azure-local).
+
 ## VMNotReachableError
 
 Error: Network validation failed during cluster creation.

azure-local/deploy/azure-verification.md

@@ -7,7 +7,7 @@ ms.topic: overview
 ms.custom:
   - devx-track-azurepowershell
 ms.reviewer: jlei
-ms.date: 03/30/2025
+ms.date: 07/08/2025
 ms.lastreviewed: 03/05/2024
 ms.service: azure-local
 ---
@@ -28,6 +28,7 @@ Azure verification for VM enables you to use these benefits available only on Az
 
 | Workload                                 | What it is                           | How to get benefits                                                                                                                                                                                                                                                                       |
 |------------------------------------------|----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| Azure Machine Configuration | Azure Machine Configuration (formerly known as Azure Policy Guest Configuration) is provided by Azure Instance Metadata Service (IMDS). | IMDS requires you to enable [Legacy OS support](#legacy-os-support). |
 | Extended Security Update (ESUs)          | Get security updates at no extra cost for end-of-support SQL and Windows Server VMs on Azure Local. <br/> For more information, see [Free Extended Security Updates (ESU) on Azure Local](../manage/azure-benefits-esu.md). | You must enable [Legacy OS support](#legacy-os-support) for older VMs running version Windows Server 2012 or earlier with [Latest Servicing Stack Updates](https://msrc.microsoft.com/update-guide/advisory/ADV990001).|
 | Azure Virtual Desktop (AVD)                    | AVD session hosts can run only on Azure infrastructure. Activate your Windows multi-session VMs on Azure Local using Azure VM verification. <br/> Licensing requirements for AVD still apply. See [Azure Virtual Desktop pricing](/azure/virtual-desktop/azure-stack-hci-overview#pricing). | Activated automatically for VMs running version Windows 11 multi-session with 4B update released on April 9, 2024 (22H2: [KB5036893](https://support.microsoft.com/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb), 21H2: [KB5036894](https://support.microsoft.com/topic/april-9-2024-kb5036894-os-build-22000-2899-165dd6e1-74be-45b7-84e3-0f2a25d375f3)) or later. You must enable [legacy OS support](#legacy-os-support) for VMs running version Windows 10 multi-session with 4B update released on April 9, 2024  [KB5036892](https://support.microsoft.com/topic/april-9-2024-kb5036892-os-builds-19044-4291-and-19045-4291-cb5d2d42-6b10-48f7-829a-be7d416a811b) or later. |
 | Windows Server Datacenter: Azure Edition | Azure Edition VMs can run only on Azure infrastructure, including Azure Local. Activate your [Windows Server Azure Edition](/windows-server/get-started/azure-edition) VMs and use the latest Windows Server innovations and other exclusive features. <br/> Licensing requirements still apply. See ways to [license Windows Server VMs on Azure Local](../manage/vm-activate.md?tabs=azure-portal).         | Activated automatically for VMs running Windows Server Azure Edition 2022 with 4B update released on April 9, 2024 ([KB5036909](https://support.microsoft.com/topic/april-9-2024-kb5036909-os-build-20348-2402-36062ce9-f426-40c6-9fb9-ee5ab428da8c)) or later. |

azure-local/manage/health-service-faults.md

@@ -4,7 +4,7 @@ description: Learn more about Health Service faults
 ms.author: alkohli
 ms.topic: how-to
 author: alkohli
-ms.date: 07/15/2025
+ms.date: 07/16/2025
 ---
 
 # View Health Service faults
@@ -319,8 +319,8 @@ For a detailed overview of health faults, including fault severity mappings, hea
 
 Considerations for Health Service faults:
 
-- Some faults are disabled by default. To enable a fault, set the corresponding health setting to true.
- - For example, fault type `Microsoft.Health.FaultType.PhysicalDisk.HighLatency.AverageIO` is disabled by default. To enable it, set the health setting `System.Storage.PhysicalDisk.HighLatency.Threshold.Tail.Enabled` to true.
+- Some faults are disabled by default. To enable a fault, set the corresponding health setting to true. For example, fault type `Microsoft.Health.FaultType.PhysicalDisk.HighLatency.AverageIO` is disabled by default. To enable it, set the health setting `System.Storage.PhysicalDisk.HighLatency.Threshold.Tail.Enabled` to true.
+
 - The health of storage enclosure components, such as fans, power supplies, and sensors are derived from SCSI Enclosure Services (SES). If your vendor doesn't provide this information, the Health Service cannot display it.
 
 ## Additional references