Use Azure Private Link to securely connect networks to Azure Arc

Azure Private Link allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. This means you can connect your on-premises or multi-cloud servers with Azure Arc and send all traffic over an Azure ExpressRoute or site-to-site VPN connection instead of using public networks.

Starting with Azure Arc-enabled servers, you can use a Private Link Scope model to allow multiple servers or machines to communicate with their Azure Arc resources using a single private endpoint.

This article covers when to use and how to set up an Azure Arc Private Link Scope (preview).

Note

Azure Arc Private Link Scope (preview) is available in all commercial cloud regions, it is not available in the US Government cloud today.

Advantages

With Private Link you can:

  • Connect privately to Azure Arc without opening up any public network access.
  • Ensure data from the Azure Arc-enabled machine or server is only accessed through authorized private networks. This also includes data from VM extensions installed on the machine or server that provide post-deployment management and monitoring support.
  • Prevent data exfiltration from your private networks by defining specific Azure Arc-enabled servers and other Azure services resources, such as Azure Monitor, that connects through your private endpoint.
  • Securely connect your private on-premises network to Azure Arc using ExpressRoute and Private Link.
  • Keep all traffic inside the Microsoft Azure backbone network.

For more information, see Key Benefits of Private Link.

How it works

Azure Arc Private Link Scope (preview) connects private endpoints (and the virtual networks they're contained in) to an Azure resource, in this case Azure Arc-enabled servers. When you enable any one of the Azure Arc-enabled servers supported VM extensions, such as Azure Automation Update Management or Azure Monitor, those resources connect other Azure resources. Such as:

  • Log Analytics workspace, required for Azure Automation Update Management, Azure Automation Change Tracking and Inventory, Azure Monitor VM insights, and Azure Monitor log collection with Log Analytics agent.
  • Azure Automation account, required for Update Management and Change Tracking and Inventory.
  • Azure Key Vault
  • Azure Blob storage, required for Custom Script Extension.

Diagram of basic resource topology

Connectivity to any other Azure resource from an Azure Arc-enabled server requires configuring Private Link for each service, which is optional, but recommended. Azure Private Link requires separate configuration per service.

For more information about configuring Private Link for the Azure services listed earlier, see the Azure Automation, Azure Monitor, Azure Key Vault, or Azure Blob storage articles.

Important

Azure Private Link is now generally available. Both Private Endpoint and Private Link service (service behind standard load balancer) are generally available. Different Azure PaaS onboard to Azure Private Link following different schedules. See Private Link availability for an updated status of Azure PaaS on Private Link. For known limitations, see Private Endpoint and Private Link Service.

  • The Private Endpoint on your VNet allows it to reach Azure Arc-enabled servers endpoints through private IPs from your network's pool, instead of using to the public IPs of these endpoints. That allows you to keep using your Azure Arc-enabled servers resource without opening your VNet to outbound traffic not requested.

  • Traffic from the Private Endpoint to your resources will go over the Microsoft Azure backbone, and not routed to public networks.

  • You can configure each of your components to allow or deny ingestion and queries from public networks. That provides a resource-level protection, so that you can control traffic to specific resources.

Restrictions and limitations

The Azure Arc-enabled servers Private Link Scope object has a number of limits you should consider when planning your Private Link setup.

  • You can associate at most one Azure Arc Private Link Scope with a virtual network.

  • An Azure Arc-enabled machine or server resource can only connect to one Azure Arc-enabled servers Private Link Scope.

  • All on-premises machines need to use the same private endpoint by resolving the correct private endpoint information (FQDN record name and private IP address) using the same DNS forwarder. For more information, see Azure Private Endpoint DNS configuration

  • The Azure Arc-enabled server and Azure Arc Private Link Scope must be in the same Azure region. The Private Endpoint and the virtual network must also be in the same Azure region, but this region can be different from that of your Azure Arc Private Link Scope and Arc-enabled server.

  • Traffic to Azure Active Directory and Azure Resource Manager service tags must be allowed through your on-premises network firewall during the preview.

  • Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network.

  • Azure Arc-enabled servers Private Link Scope is not currently available in Azure US Government regions.

To connect your server to Azure Arc over a private link, you need to configure your network to accomplish the following:

  1. Establish a connection between your on-premises network and an Azure virtual network using a site-to-site VPN or ExpressRoute circuit.

  2. Deploy an Azure Arc Private Link Scope (preview), which controls which machines or servers can communicate with Azure Arc over private endpoints and associate it with your Azure virtual network using a private endpoint.

  3. Update the DNS configuration on your local network to resolve the private endpoint addresses.

  4. Configure your local firewall to allow access to Azure Active Directory and Azure Resource Manager. This is a temporary step and will not be required when private endpoints for these services enter preview.

  5. Associate the machines or servers registered with Azure Arc-enabled servers with the private link scope.

  6. Optionally, deploy private endpoints for other Azure services your machine or server is managed by, such as:

    • Azure Monitor
    • Azure Automation
    • Azure Blob storage
    • Azure Key Vault

This article assumes you have already set up your ExpressRoute circuit or site-to-site VPN connection.

Network configuration

Azure Arc-enabled servers integrates with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints.

There are two ways you can achieve this:

  • If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD and Azure using service tags. The NSG rules should look like the following:

    Setting Azure AD rule Azure rule
    Source Virtual network Virtual network
    Source port ranges * *
    Destination Service Tag Service Tag
    Destination service tag AzureActiveDirectory AzureResourceManager
    Destination port ranges 443 443
    Protocol Tcp Tcp
    Action Allow Allow
    Priority 150 (must be lower than any rules that block internet access) 151 (must be lower than any rules that block internet access)
    Name AllowAADOutboundAccess AllowAzOutboundAccess
  • Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD and Azure using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD and Azure and is updated monthly to reflect any changes. Azure ADs service tag is AzureActiveDirectory and Azure's service tag is AzureResourceManager. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.

See the visual diagram under the section How it works for the network traffic flows.

  1. Sign in to the Azure portal.

  2. Go to Create a resource in the Azure portal and search for Azure Arc Private Link Scope. Or you can use the following link to open the Azure Arc Private Link Scope page in the portal.

    Find Private Link Scope

  3. Select Create.

  4. Pick a Subscription and Resource Group. During the preview, your virtual network and Azure Arc-enabled servers must be in the same subscription as the Azure Arc Private Link Scope.

  5. Give the Azure Arc Private Link Scope a name. It's best to use a meaningful and clear name.

    You can optionally require every Azure Arc-enabled machine or server associated with this Azure Arc Private Link Scope (preview) to send data to the service through the private endpoint. If you select Enable public network access, machines or servers associated with this Azure Arc Private Link Scope (preview) can communicate with the service over both private or public networks. You can change this setting after creating the scope if you change your mind.

  6. Select Review + Create.

    Create Private Link Scope

  7. Let the validation pass, and then select Create.

Create a private endpoint

Once your Azure Arc Private Link Scope (preview) is created, you need to connect it with one or more virtual networks using a private endpoint. The private endpoint exposes access to the Azure Arc services on a private IP in your virtual network address space.

  1. In your scope resource, select Private Endpoint connections in the left-hand resource menu. Select Add to start the endpoint create process. You can also approve connections that were started in the Private Link center here by selecting them and selecting Approve.

    Create Private Endpoint

  2. Pick the subscription, resource group, and name of the endpoint, and the region it should live in. The region needs to be the same region as the VNet you connect it to.

  3. Select Next: Resource.

  4. On the Resource page,

    a. Pick the Subscription that contains your Azure Arc Private Link Scope resource.

    b. For Resource type, choose Microsoft.HybridCompute/privateLinkScopes.

    c. From the Resource drop-down, choose your Private Link scope you created earlier.

    d. Select Next: Configuration >.

    Complete creation of Private Endpoint

  5. On the Configuration page,

    a. Choose the virtual network and subnet that you want to connect to your Azure-Arc enabled server.

    b. Choose Yes for Integrate with private DNS zone, and let it automatically create a new Private DNS Zone. The actual DNS zones may be different from what is shown in the screenshot below.

    Note

    If you choose No and prefer to manage DNS records manually, first complete setting up your Private Link - including this Private Endpoint and the Private Scope configuration. Then, configure your DNS according to the instructions in Azure Private Endpoint DNS configuration. Make sure not to create empty records as preparation for your Private Link setup. The DNS records you create can override existing settings and impact your connectivity with Azure Arc-enabled servers.

    c. Select Review + create.

    d. Let validation pass.

    e. Select Create.

Configure on-premises DNS forwarding

Your on-premises machines or servers need to be able to resolve the private link DNS records to the private endpoint IP addresses. How you configure this depends on whether you’re using Azure private DNS zones to maintain DNS records, or if you’re using your own DNS server on-premises and how many servers you’re configuring.

DNS configuration using Azure-integrated private DNS zones

If you set up private DNS zones for Azure Arc-enabled servers and Guest Configuration when creating the private endpoint, your on-premises machines or servers need to be able to forward DNS queries to the built-in Azure DNS servers to resolve the private endpoint addresses correctly. You need a DNS forwarder in Azure (either a purpose-built VM or an Azure Firewall instance with DNS proxy enabled), after which you can configure your on-premises DNS server to forward queries to Azure to resolve private endpoint IP addresses.

The private endpoint documentation provides guidance for configuring on-premises workloads using a DNS forwarder.

Manual DNS server configuration

If you opted out of using Azure private DNS zones during private endpoint creation, you will need to create the required DNS records in your on-premises DNS server.

  1. Go to the Azure portal.

  2. Navigate to the private endpoint resource associated with your virtual network and private link scope.

  3. From the left-hand pane, select DNS configuration to see a list of the DNS records and corresponding IP addresses you’ll need to set up on your DNS server. The FQDNs and IP addresses will change based on the region you selected for your private endpoint and the available IP addresses in your subnet.

    DNS configuration details

  4. Follow the guidance from your DNS server vendor to add the necessary DNS zones and A records to match the table in the portal. Ensure that you select a DNS server that is appropriately scoped for your network. Every machine or server that uses this DNS server now resolves the private endpoint IP addresses and must be associated with the Azure Arc Private Link Scope (preview), or the connection will be refused.

Single server scenarios

If you’re only planning to use Private Links to support a few machines or servers, you may not want to update your entire network’s DNS configuration. In this case, you can add the private endpoint hostnames and IP addresses to your operating systems Hosts file. Depending on the OS configuration, the Hosts file can be the primary or alternative method for resolving hostname to IP address.

Windows

  1. Using an account with administrator privileges, open C:\Windows\System32\drivers\etc\hosts.

  2. Add the private endpoint IPs and hostnames as shown in the table from step 3 under Manual DNS server configuration. The hosts file requires the IP address first followed by a space and then the hostname.

  3. Save the file with your changes. You may need to save to another directory first, then copy the file to the original path.

Linux

  1. Using an account with the sudoers privilege, run sudo nano /etc/hosts to open the hosts file.

  2. Add the private endpoint IPs and hostnames as shown in the table from step 3 under Manual DNS server configuration. The hosts file asks for the IP address first followed by a space and then the hostname.

  3. Save the file with your changes.

Connect to an Azure Arc-enabled servers

Note

The minimum supported version of the Azure Arc-connected machine agent with private endpoint is version 1.4. The Azure Arc-enabled servers deployment script generated in the portal downloads the latest version.

When connecting a machine or server with Azure Arc-enabled servers for the first time, you can optionally connect it to a Private Link Scope. The following steps are

  1. From your browser, go to the Azure portal.

  2. Navigate to Servers -Azure Arc.

  3. On the Servers - Azure Arc page, select Add at the upper left.

  4. On the Add servers with Azure Arc page, select either the Add a single server or Add multiple servers depending on your deployment scenario, and then select Generate script.

  5. On the Generate script page, select the subscription and resource group where you want the machine to be managed within Azure. Select an Azure location where the machine metadata will be stored. This location can be the same or different, as the resource group's location.

  6. On the Prerequisites page, review the information and then select Next: Resource details.

  7. On the Resource details page, provide the following:

    1. In the Resource group drop-down list, select the resource group the machine will be managed from.

    2. In the Region drop-down list, select the Azure region to store the machine or server metadata.

    3. In the Operating system drop-down list, select the operating system that the script is configured to run on.

    4. Under Network Connectivity, select Private endpoint (preview) and select the Azure Arc Private Link Scope created in Part 1 from the drop-down list.

      Selecting Private Endpoint connectivity option

    5. Select Next: Tags.

  8. If you selected Add multiple servers, on the Authentication page, select the service principal created for Azure Arc-enabled servers from the drop down list. If you have not created a service principal for Azure Arc-enabled servers, first review how to create a service principal to familiarize yourself with permissions required and the steps to create one. Select Next: Tags to continue.

  9. On the Tags page, review the default Physical location tags suggested and enter a value, or specify one or more Custom tags to support your standards.

  10. Select Next: Download and run script.

  11. On the Download and run script page, review the summary information, and then select Download. If you still need to make changes, select Previous.

After downloading the script, you have to run it on your machine or server using a privileged (administrator or root) account. Depending on your network configuration, you may need to download the agent from a computer with internet access and transfer it to your machine or server, and then modify the script with the path to the agent.

The Windows agent can be downloaded from https://aka.ms/AzureConnectedMachineAgent and the Linux agent can be downloaded from https://packages.microsoft.com. Look for the latest version of the azcmagent under your OS distribution directory and installed with your local package manager.

The script will return status messages letting you know if onboarding was successful after it completes.

Note

If you’re deploying the Connected Machine agent on a Linux server, there may be a five minute delay during the network connectivity check followed by an error saying that you do not have access to login.windows.net, even if your firewall is configured correctly. This is a known issue and will be fixed in a future agent release. Onboarding should still succeed if your firewall is configured correctly.

Configure an existing Azure Arc-enabled server

For Azure Arc-enabled servers that were set up prior to your private link scope, you can allow them to start using the Azure Arc-enabled servers Private Link Scope by completing the following steps.

  1. In the Azure portal, navigate to your Azure Arc Private Link Scope resource.

  2. From the left-hand pane, select Azure Arc resources and then + Add.

  3. Select the servers in the list that you want to associate with the Private Link Scope, and then select Select to save your changes.

    Note

    Only Azure Arc-enabled servers in the same subscription and region as your Private Link Scope is shown.

    Selecting Azure Arc resources

It may take up to 15 minutes for the Private Link Scope to accept connections from the recently associated server(s).

Troubleshooting

  1. Check your on-premises DNS server(s) to verify it is either forwarding to Azure DNS or is configured with appropriate A records in your private link zone. These lookup commands should return private IP addresses in your Azure virtual network. If they resolve public IP addresses, double check your machine or server and network’s DNS configuration.

    nslookup gbl.his.arc.azure.com
    nslookup agentserviceapi.guestconfiguration.azure.com
    
  2. If you are having trouble onboarding a machine or server, confirm that you’ve added the Azure Active Directory and Azure Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services.

Next steps