Azure Arc Gateway for Azure Local

hciharrison Azure, Azure Local, Networking

Introduction

As organizations increasingly adopt hybrid and multi-cloud strategies, managing distributed infrastructure efficiently while maintaining security and compliance becomes a critical challenge. Microsoft’s Azure Arc Gateway for Azure Local, currently in public preview, addresses this by streamlining network configurations and reducing the complexity of connecting on-premises environments to Azure. This blog explores the Azure Arc Gateway for Azure Local, its components, benefits, and how to get started, based on the latest insights from Microsoft’s documentation.

What is Azure Arc Gateway for Azure Local?

Azure Arc Gateway is a feature designed to simplify network connectivity for Azure Arc-enabled resources, particularly for Azure Local deployments. The Arc Gateway reduces the number of endpoints required to deploy and manage Azure Local instances, making it easier to integrate on-premises environments with Azure services.

The Azure Arc Gateway for Azure Local is available for new deployments running software version 2408 and later, with enhanced capabilities in version 2411.1 and beyond. It’s currently in preview, meaning it’s subject to Microsoft’s Supplemental Terms of Use for Azure Previews.

Key Components

The Azure Arc Gateway operates through two primary components:

  1. Arc Gateway Resource: An Azure resource that serves as a single entry point for Azure traffic. It’s hosted on a specific domain/URL, which is provided upon successful creation of the resource. This reduces the need to configure multiple endpoints in enterprise firewalls or proxies.
  2. Arc Proxy: A service embedded within the Azure Arc agents, running as the “Azure Arc Proxy” on Azure Local machines. It acts as a forward proxy, routing traffic from Arc agents and extensions to the Arc Gateway or, if not allowed, to an enterprise proxy (or direct outbound if no proxy is set). No manual configuration is required for the Arc Proxy.

Traffic Flows

Azure Local host operating system components

  1. OS proxy settings are used to route all HTTPS host traffic through Arc proxy.
  2. From Arc proxy, the traffic is forwarded to Arc gateway.
  3. Based on the configuration in the Arc gateway, if allowed, the traffic is sent to target services. If not allowed, Arc proxy redirects this traffic to the enterprise proxy (or direct outbound if no proxy set). Arc proxy automatically determines the right path for the endpoint.

Arc appliance Azure Arc resource bridge and AKS control plane

  1. Routable IP (failover clustered IP resource as of now) is used to forward the traffic through Arc proxy running on the Azure Local host machines.
  2. Azure Arc resource bridge and Azure Kubernetes Service (AKS) forward proxy are configured to use routable IP.
  3. With proxy settings in place, Arc resource bridge, and AKS outbound traffic is forwarded to Arc Proxy running on one of the Azure Local machines over routable IP.
  4. When traffic reaches the Arc proxy, the remaining flow takes the same path as described. If traffic to the target service is allowed, it is sent to Arc gateway. If not, it’s sent to the enterprise proxy (or direct outbound if no proxy set). For AKS specifically, this path is used for downloading docker images for Arc Agentry and Arc Extension Pods.

Azure Local VMs

HTTP and HTTPS traffic are forwarded to the enterprise proxy. Arc proxy inside an Azure Local virtual machine (VM) enabled by Arc is not yet supported in this version.

Benefits of Azure Arc Gateway for Azure Local

The Azure Arc Gateway offers several advantages for organizations deploying Azure Local:

  1. Simplified Network Configuration: By reducing the number of required endpoints to less than ten (which is the end goal), the Arc Gateway minimises the complexity of configuring firewalls and proxies. This is a significant improvement over traditional setups, which could require whitelisting over 100 URLs.
  2. Enhanced Security: The Arc Gateway provides a single, auditable entry point for Azure traffic, improving visibility and control. Organizations can monitor and audit traffic via the Arc Proxy logs, ensuring compliance with security policies.
  3. Scalability for Distributed Environments: Azure Local, enabled by Azure Arc, supports distributed locations like retail stores, factories, or regulated industries requiring local data residency. The Arc Gateway simplifies connectivity for these scenarios, enabling consistent management across hybrid environments.
  4. Seamless Integration with Azure Services: The Arc Gateway facilitates the use of Azure services like Azure Monitor, Microsoft Defender for Cloud, and AKS on Azure Local, ensuring a unified management experience from the Azure portal.

Limitations to Consider

As a preview feature, the Azure Arc Gateway has some constraints:

  • TLS Terminating Proxies: Not supported during the preview phase.
  • ExpressRoute/Site-to-Site VPN: These are not compatible with the Arc Gateway.
  • Private Endpoints: Not supported in conjunction with the Arc Gateway.
  • Resource Limits: A maximum of five Arc Gateway resources per Azure subscription.
  • Endpoint Coverage: Not all data plane endpoints are covered; additional endpoints may need to be allowlisted for specific scenarios.

Organizations should review these limitations when planning deployments and consult Microsoft’s documentation for updates as the feature matures.

Getting Started with Azure Arc Gateway for Azure Local

Prerequisites

Before deploying the Arc Gateway, ensure the following:

  • Azure Local deployment running software version 2411.1 or later.
  • Required Azure permissions to create Arc Gateway resources and manage associations with Azure Local instances.
  • Enterprise firewall or proxy configured to allow the Arc Gateway URL and additional required endpoints (e.g., Azure Resource Manager, Microsoft Entra ID).
  • Azure CLI version 1.4.23 or later (or use Azure CloudShell, which includes the latest version).

Creating the Arc Gateway Resource

You can create an Arc Gateway resource using the Azure portal, Azure CLI, or Azure PowerShell. Here’s a step-by-step guide using the Azure portal:

  1. Sign in to Azure portal.
  2. Go to the Azure Arc > Azure Arc gateway page, then select Create.
  3. Select the subscription where you’re planning to deploy your Azure Local instance.
  4. For Name, enter the name for the Arc gateway resource.
  5. For Location, enter the region where the Arc gateway resource should live. An Arc gateway resource is used by any Arc-enabled resource in the same Azure tenant.
  6. Select Next.
  7. On the Tags page, specify one or more custom tags to support your standards.
  8. Select Review & Create.
  9. Review your details, and then select Create.
  10. The gateway creation process takes nine to 10 minutes to complete.

Using Azure CLI

Alternatively, run the following Azure CLI command to create the Arc Gateway:

az arcgateway create --name <gateway-name> --resource-group <resource-group> --az arcgateway create --name [gateway name] --resource-group [resource group] --location [location]

Ensure the Arc Gateway URL and required endpoints are allowlisted in your firewall.

Enabling Arc Gateway During Deployment

For new Azure Local deployments, enable the Arc Gateway during arc-onboarding of the Azure Local nodes, either using PowerShell or the Configurator App. This ensures that host OS components, Arc Resource Bridge, and AKS control plane traffic leverage the simplified network path.

Review Configuraiton on Nodes

To check the Arc Gateway is configured, run the following command on an onboarded servers to verify connectivity:

azcmagent show

The output should show:

  • Agent Status: Connected
  • Using HTTPS Proxy: http://localhost:40343
  • Upstream Proxy: Your enterprise proxy (if configured)

Conclusion

The Azure Arc Gateway for Azure Local simplifies hybrid cloud management by reducing network configuration requirements and enhancing security for distributed environments. As the Azure Arc Gateway evolves beyond preview, Microsoft is likely to expand endpoint coverage, address current limitations, and integrate additional Azure services. The feature’s ability to reduce network complexity positions it as a cornerstone for hybrid cloud strategies, particularly for Azure Local deployments. Keep an eye on Microsoft’s Azure Arc Blog and Ignite announcements for updates.

Post Disclaimer

The information contained in the posts in this blog site is for general information purposes only. The information in this post "Azure Arc Gateway for Azure Local" is provided by "Lee Harrison's Technical Blog" and whilst we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose. Furthermore, it is always recommended that you test any related changes to your environments on non-production systems and always have a robust backup strategy in place.

Leave a Reply

Your email address will not be published. Required fields are marked *