You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-local/deploy/deployment-azure-arc-gateway-overview.md
+40-38Lines changed: 40 additions & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Overview of Azure Arc gateway for Azure Local, version 23H2 (preview)
3
3
description: Learn what is Azure Arc gateway for Azure Local, version 23H2 (preview).
4
4
author: alkohli
5
5
ms.topic: how-to
6
-
ms.date: 04/23/2025
6
+
ms.date: 05/08/2025
7
7
ms.author: alkohli
8
8
ms.service: azure-local
9
9
---
@@ -42,19 +42,19 @@ When Arc gateway is used, the *http* and *https* traffic flow changes as follows
42
42
43
43
1. Based on the configuration in the Arc gateway, if allowed, the traffic is sent to target services. If not allowed, Arc proxy redirects this traffic to the enterprise proxy (or direct outbound if no proxy set). Arc proxy automatically determines the right path for the endpoint.
44
44
45
-
**Traffic flow for Arc appliance Arc Resource Bridge (ARB) and AKS control plane**
45
+
**Traffic flow for Arc appliance Azure Arc resource bridge and AKS control plane**
46
46
47
-
1.The routable IP (failover clustered IP resource as of now) is used to forward the traffic through Arc proxy running on the Azure Local host machines.
47
+
1.Routable IP (failover clustered IP resource as of now) is used to forward the traffic through Arc proxy running on the Azure Local host machines.
48
48
49
-
1.ARB and AKS forward proxy are configured to use the routable IP.
49
+
1.Azure Arc resource bridge and Azure Kubernetes Service (AKS) forward proxy are configured to use routable IP.
50
50
51
-
1. With the proxy settings in place, ARB, and AKS outbound traffic is forwarded to Arc Proxy running on one of the Azure Local machines over the routable IP.
51
+
1. With proxy settings in place, Arc resource bridge, and AKS outbound traffic is forwarded to Arc Proxy running on one of the Azure Local machines over routable IP.
52
52
53
-
1.Once the traffic reaches Arc proxy, the remaining flow takes the same path as described. If traffic to the target service is allowed, it is sent to Arc gateway. If not, it is sent to the enterprise proxy (or direct outbound if no proxy set). For AKS specifically, this path is used for downloading docker images for Arc Agentry and Arc Extension Pods.
53
+
1.When traffic reaches the Arc proxy, the remaining flow takes the same path as described. If traffic to the target service is allowed, it is sent to Arc gateway. If not, it's sent to the enterprise proxy (or direct outbound if no proxy set). For AKS specifically, this path is used for downloading docker images for Arc Agentry and Arc Extension Pods.
54
54
55
55
**Traffic flow for Azure Local VMs**
56
56
57
-
*Http* and *https* traffic are forwarded to the enterprise proxy. Arc proxy inside an Azure Local VM enabled by Arc is not yet supported in this version.
57
+
HTTP and HTTPS traffic are forwarded to the enterprise proxy. Arc proxy inside an Azure Local virtual machine (VM) enabled by Arc is not yet supported in this version.
58
58
59
59
Traffic flows are illustrated in the following diagram:
60
60
@@ -81,50 +81,52 @@ The list of supported endpoints by the Arc gateway in Azure Local will increase
81
81
You can use the Arc gateway in the following scenario for Azure Local versions 2411.1 or later:
82
82
83
83
- Enable Arc gateway during deployment of new Azure Local instances running versions 2411.1 or later.
84
-
- The Arc gateway resource must be created on the same subscription where you are planning to deploy your Azure Local instance.
84
+
- The Arc gateway resource must be created on the same subscription where you're planning to deploy your Azure Local instance.
85
85
86
86
Unsupported scenarios for Azure Local include:
87
87
88
-
- Enabling Arc gateway after deployment is not supported.
88
+
- Enabling Arc gateway after deployment isn't supported.
89
89
90
90
## Azure Local endpoints not redirected
91
91
92
92
The endpoints from the table are required and must be allowlisted in your proxy or firewall to deploy the Azure Local instance:
| 13 |`http://files.pythonhosted.org:443`| Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
109
+
| 14 |`http://pypi.org:443`| Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
110
+
| 15 |`http://raw.githubusercontent.com:443`| Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
111
+
| 16 |`http://pythonhosted.org:443`| Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
112
+
| 17 |`http://ocsp.digicert.com`| Certificate Revocation List for Arc extensions |
113
+
| 18 |`http://s.symcd.com`| Certificate Revocation List for Arc extensions |
114
+
| 19 |`http://ts-ocsp.ws.symantec.com`| Certificate Revocation List for Arc extensions |
115
+
| 20 |`http://ocsp.globalsign.com`| Certificate Revocation List for Arc extensions |
116
+
| 21 |`http://ocsp2.globalsign.com`| Certificate Revocation List for Arc extensions |
117
+
| 22 |`http://oneocsp.microsoft.com`| Certificate Revocation List for Arc extensions |
118
+
| 23 |`http://crl.microsoft.com/pkiinfra`| Certificate Revocation List for Arc extensions |
119
+
| 24 |`http://dl.delivery.mp.microsoft.com`| Windows Update |
120
+
| 25 |`http://*.tlu.dl.delivery.mp.microsoft.com`| Windows Update |
121
+
| 26 |`http://*.windowsupdate.com`| Windows Update |
122
+
| 27 |`http://*.windowsupdate.microsoft.com`| Windows Update |
123
+
| 28 |`http://*.update.microsoft.com`| Windows Update |
122
124
123
125
## Restrictions and limitations
124
126
125
127
Consider the following limitations of Arc gateway in this release:
126
128
127
-
- TLS terminating proxies aren't supported with the Arc gateway preview.
129
+
-Transport Layer Security (TLS) terminating proxies aren't supported with the Arc gateway preview.
128
130
- Use of ExpressRoute, Site-to-Site VPN, or Private Endpoints in addition to the Arc gateway (preview) isn't supported.
129
131
130
132
## Create the Arc gateway resource in Azure
@@ -135,7 +137,7 @@ You can create an Arc gateway resource using the Azure portal, Azure CLI, or Azu
135
137
136
138
1. Sign in to [Azure portal](https://ms.portal.azure.com/).
137
139
1. Go to the **Azure Arc > Azure Arc gateway** page, then select **Create**.
138
-
1. Select the subscription where you are planning to deploy your Azure Local instance.
140
+
1. Select the subscription where you're planning to deploy your Azure Local instance.
139
141
1. For **Name**, enter the name for the Arc gateway resource.
140
142
1. For **Location**, enter the region where the Arc gateway resource should live. An Arc gateway resource is used by any Arc-enabled resource in the same Azure tenant.
141
143
1. Select **Next**.
@@ -180,7 +182,7 @@ The gateway creation process takes 9-10 minutes to complete.
180
182
181
183
## Detach or change the Arc gateway association from the machine
182
184
183
-
To detach the gateway resource from your Arc-enabled server, set the gateway resource ID to `null`. To attach your Arc-enabled server to another Arc gateway resource just update the name and resource ID with the new Arc gateway information:
185
+
To detach the gateway resource from your Arc-enabled server, set the gateway resource ID to `null`. To attach your Arc-enabled server to another Arc gateway resource, update the name and resource ID with the new Arc gateway information:
184
186
185
187
```azurecli
186
188
az arcgateway settings update --resource-group <Resource Group> --subscription <subscription name> --base-provider Microsoft.HybridCompute --base-resource-type machines --base-resource-name <Arc-enabled server name> --gateway-resource-id "
0 commit comments