What the best connection type to Azure Arc enable a server in 2024?

There are several ways to connect servers to Azure and enable them with Azure Arc, including using the Azure Arc Gateway. Today we will look at the options and when to use each of these.

Private Endpoints – Not an option?

I’m not considering private endpoints in my article and don’t recommend them now (Q4/2024). I understand the arguments for them, but I focus on simplicity and rely on Zero Trust, Entra ID for security. I accept that public endpoints are secure enough.

There is a full list of pro and cons shared by Microsoft in this article “https://learn.microsoft.com/en-us/azure/azure-arc/servers/private-link-security“, but I will highlight my main arguments against Private Endoints.

  • Network traffic to Microsoft Entra ID and Azure Resource Manager does not traverse the Azure Arc Private Link Scope and will continue to use your default network route to the internet. (So basically you add complexity, but the identity and basic information with the highest security requirement, will still use public endpoints).
  • Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network.
  • Remote access to the server using Windows Admin Center or SSH is not supported over private link at this time.

I am mostly working on projects to replace Windows Terminal Server based Jump Servers with Client VPN with a Modern Server Management solution based on Windows Admin Center in Azure and Entra ID functionality, which makes Public Endpoints mandatory for me.

There is a good architectural diagram from https://azurearcjumpstart.com/ that is visualizing the need to private and public endpoints in this context including extensions.

Download the full set of Architectural Drawings from https://aka.ms/JumpstartDiagrams
Download the full set of Architectural Drawings from https://aka.ms/JumpstartDiagrams

Public Endpoint option to Azure Arc enable Server

Option 1 – Use Proxy connection / no Azure Arc Gateway

Scenario 1 - Without Arc Gateway and with Enterprise Proxy
Requirement 15+ Endpoints with >150 URLs in large scenarios
1 Squid speaks with the Firewall
Option 1 – Without Arc Gateway and with Enterprise Proxy

The first option to review is a very classic ones for servers with no direct internet connect, but the requirement to use a proxy. This option can be implemented as Azure Arc enabled Servers can be configured using a proxy.

This connection does require all the URLs required for Azure Arc enabling a server on the squid proxy and on the Firewall. The basic list, check here, is already quite long and if you wat to use extensions, than this can be > 100 URLs for >10 Endpoints.

There is a sweet spot for this scenario, which is a proxy that has no URL filter and connected to a Next Gen Firewall with a category based URL filtering and allowing all Microsoft domains. While I try to avoid Proxies these day, this is a valid scenario for network segmented servers, that should communicate with Azure through the Next Gen Firewall, but Internet Access in their network segment is restricted and requires the proxy.

Important: The azure connected machine agent does not support user authentication, so you need to implement other access control features. Check my Blog on this topcic here.

Option 2 – Use Proxy connection with Azure Arc Gateway

Scenario 2 - With Arc Gateway and with Enterprise Proxy
Small number of URLS / 1 Proxy speaks with Firewall
Option 2 – With Arc Gateway and with Enterprise Proxy
Small number of URLS / 1 Proxy speaks with Firewall

The second option to review is also for the classic scenario, where servers with no direct internet connect, but the requirement to use a proxy. This option can be implemented as Azure Arc enabled Servers can be configured using a proxy.

This scenario does help with the similiar use case like option 1, but if you are not having a Next Gen Firewall with an URL based category filter. In this scenario you can use the Azure Arc Gateway to limit the number of URLs / IP Ranges to connect even further.

If you enable the Azure Arc Gateway with a Squid proxy you can limit the number of IPs communicating with the Firewall to 1 and the number of URLs to the very short list below. This makes using it significantly simpler with non next generation firewalls, that do require IP address white listening and normally cannot handle URLs.

URLPurpose
[Your URL Prefix].gw.arc.azure.comYour gateway URL (This URL can be obtained by running az connectedmachine gateway list after you create your gateway Resource)
management.azure.comAzure Resource Manager Endpoint, required for Azure Resource Manager control channel
login.microsoftonline.comMicrosoft Entra ID’s endpoint, for acquiring Identity access tokens
gbl.his.arc.azure.comThe cloud service endpoint for communicating with Azure Arc agents
<region>.his.arc.azure.comUsed for Arc’s core control channel
packages.microsoft.comRequired to acquire Linux based Arc agentry payload, only needed to connect Linux servers to Arc
download.microsoft.comUsed to download the Windows installation package
Source: Simplify network configuration requirements through Azure Arc gateway (Limited preview)

Learn more about the Azure Arc Gateway Preview Option from Microsoft and check my full story around using and configuring it on this blog.

Option 3 – Use Azure Arc Gateway with no proxy

Option 3 is basically Option 2, but your organization is not using a proxy. This adds complexity on the Firewall as, as all servers need to be whitelisted to allow the communication port 443 using TCP to the below URLs. If you are in such an environement it is likely, that you have whitelistening for servers and can cover these changes relatively easy.

Option 3 - With Arc Gateway and no Enterprise Proxy
Small number of URLS / Many Servers speaks with Firewallgrafik
Option 3 – With Arc Gateway and no Enterprise Proxy
Small number of URLS / Many Servers speaks with Firewall
grafik

The list of URLs required is limited to the Azure Arc Gateway URLs mentioned before and listed here.

URLPurpose
[Your URL Prefix].gw.arc.azure.comYour gateway URL (This URL can be obtained by running az connectedmachine gateway list after you create your gateway Resource)
management.azure.comAzure Resource Manager Endpoint, required for Azure Resource Manager control channel
login.microsoftonline.comMicrosoft Entra ID’s endpoint, for acquiring Identity access tokens
gbl.his.arc.azure.comThe cloud service endpoint for communicating with Azure Arc agents
<region>.his.arc.azure.comUsed for Arc’s core control channel
packages.microsoft.comRequired to acquire Linux based Arc agentry payload, only needed to connect Linux servers to Arc
download.microsoft.comUsed to download the Windows installation package
Source: Simplify network configuration requirements through Azure Arc gateway (Limited preview)

Option 4 – Use direct connection

The direct connection option is the one I have seen most customers transition to. Systems and servers are moved from IP based Firewalls to Next Gen Firewalls and eliminating proxy configurations. This simplifies both the server configuration, but also the network communication. All devices are using the routing tables and most of the time the default route to the “internet”. So you can use tools like WinMTR – check my guide here – instead of tools to trace down network traffic generated using proxy configurations on the OS level and in the browser. If you have been in that business, you know how much fun tracing down the used configuration on a browser or OS based level.

Scenario 3 - Without Arc Gateway and no Proxy
Requirement 15+ Endpoints with >150 URLs in large scenarios
Many Servers speak to the Firewall
Option 4 – Without Arc Gateway and no Proxy
Requirement 15+ Endpoints with >150 URLs in large scenarios
Many Servers speak to the Firewall

This configuration would be pretty complex if implemented in a new environment, but if you allow Internet Traffic from servers to URL categories from Microsoft and you have implemented a network segmentation or groups for your Windows / Linux servers, it can actually work “instantly” without any further configuration in most modern network designs.

What option is the best one for me?

As you can see from the details shared above, the anwer to this is, it depends. To help with your decision i created this basic decision diagram to help you visualize your architectural decision options.

How to connect Azure Arc enabled server
How to connect Azure Arc enabled server

This decision is one of most important ones. I highly recommend to involve all Stakeholders in this discusion. My recommendation is to start with IT-Sec, Firewall Team, Network Team, Proxy Team, Cloud Team and your server team. Document the decision well and use the above Options as a starting point. Things can get more complex in your environment, but you will most of the time come back to the above options.

Conclusion

I prefer simple designs with a high level of automation. While it may sound like Option 4 without the proxy and the Azure Arc Gateway does require the most URLs, it comes with the toolset to simplify and automate that requirements with the URL filter support in the 2nd gen firewalls.

Especially when you have to maintain a discussion and update procedure with many stakeholders, i.e. proxy / firewall / network / server / cloud team in Option 1, than it becomes very complex. Even if this scenario has the least number of URLs and IP address configurations.

This is a very good scenario and example for the “It depends” statement.

Documentation

Download the above drawings in my favorite format draw.io from my Github Repository

Check the Azure Arc Jump Start Website and register here for it’s monthly newsletter to learn about azure arcenabled servers and how to connect machines to Azure Arc.

Spread the knowledge
Avatar for Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

A dragon from the Shadow Run world working as an IT Architect and training for the Azure AZ 104 training

Azure Administrator AZ-104 – free training

When seeking the most valuable Azure Hyperscaler certification, many individuals opt for the “The Microsoft Certified: Azure Administrator Associate (AZ-104)“. Obtaining this certification demonstrates your proficiency in managing cloud services…

Spread the knowledge
Read more
A dragon IT Architect in the shadowrun world, sitting in a datacenter and deploying an Azure VPN Gateway to his HomeLab

Connect Ubiquiti UniFi UDM to Azure VPN

My homelab and private network are segmented by a Ubiquiti Unifi UDM Pro for security and using some features like WAN port load balancing and failover. When setting up my…

Spread the knowledge
Read more
AzureArcGateway

Deploy Azure Arc gateway (Limited preview 2024)

The Azure Arc Gateway introduces two new components to allow a communication between a local server to Azure using “only 7” endpoints. This is currently (09.09.2024) private preview. This requires…

Spread the knowledge
Read more
OIG3.R

Quickly test Latency to Azure Locations 2024

Which data center is the right one for you if it’s all about latency? How can you test this quickly? Challenge – What is the best region? You have a…

Spread the knowledge
Read more
firefox IerpbiJPWC

Starlink and quick Windows Admin Center in Azure in 2024

Starlink is an amazing solution to the “work anywhere” problem, and I’m using it to get ready for my sabbatical in 2026. I’m thrilled to have the chance to use…

Spread the knowledge
Read more
AzureArcSite

Get started with the new Azure Arc Site Manager

Microsoft announced another Azure Arc preview tool. Azure Arc site manager will allow you to get a quick overview over all your Azure Arc resources. What is Azure Arc site…

Spread the knowledge
Read more