Network connectivity for Azure Arc-enabled Kubernetes

Arc-enabled Kubernetes supports fully connected and semi-connected modes for onboarding and managing Kubernetes clusters with Azure Arc's control plane. Azure Arc-enabled Kubernetes agents communicate with Azure Arc endpoints to exchange different types of metadata information using pull and push methods from Kubernetes clusters.

This document explains network architecture, design considerations, and design recommendations that help you enable connectivity to the Azure control plane so you can manage and operate Arc-enabled Kubernetes clusters running in on-premises and other cloud environments.

Architecture

The following diagram displays an Azure Arc-enabled Kubernetes network architecture that supports fully connected and semi-connected network connectivity modes.

The following diagram displays a network architecture that allows cluster access from any network location using Azure Arc-enabled Kubernetes Cluster Connect capability feature.

Design considerations

• Review the network topology and connectivity design area of the Azure landing zones to assess the effect of Azure Arc-enabled Kubernetes on your connectivity model.
• Review the network requirements for Azure Arc-enabled Kubernetes to understand how clusters communicate with Azure from on-premises network or other cloud providers.
• Consider trade-offs between your organization's security and compliance requirements and the benefits Azure Arc-enabled Kubernetes offers your organization. Decide between fully connected mode and semi-connected mode for your implementation.
• Decide whether to use public or private endpoints when connecting to Azure Log Analytics workspaces through ExpressRoute or VPN versus internet connectivity.
• Decide whether to use public or private endpoints when connecting to Azure Key Vaults through ExpressRoute or VPN versus internet connectivity.
• Choose your network connectivity options for Azure Arc-enabled Kubernetes cluster management, since Azure Arc-enabled Kubernetes clusters support cluster management from any network. For design considerations and recommendations when deciding on network independent cluster management, see Identity and Access Management.
• Consider securely managing Azure Arc-enabled Kubernetes cluster through the Cluster Connect capability to access anywhere, which eliminates inbound network port opening and allows only outbound communication to Azure Arc services in Azure.
• When using on-premises or multicloud firewalls or proxy servers for TLS inspection of your outbound traffic and network intrusion detection and prevention system (IDPS), decide whether or not to exempt Azure Arc-enabled Kubernetes endpoints, since some of the server certificates aren't trusted by these firewalls or proxy servers.

Design recommendations

• Using the fully connected mode for onboarded Kubernetes clusters helps you stay current with the latest product releases, security updates, policies, and installed extensions for bringing Azure cloud services to on-premises or multicloud environments.
• Ensure you meet Azure Arc-enabled Kubernetes network requirements based on your chosen connectivity model.
• Enable Azure Private Link to access Azure resources such as Key Vault, storage accounts, Microsoft Container Registry, and Log Analytics from Kubernetes clusters running in on-premises or other cloud environments through Azure Express Route or VPN connections.
  • Configure a DNS forwarder to resolve the Azure service public DNS zone in Azure.
• For Azure Arc-enabled Kubernetes agents traffic going through your firewalls or proxy servers, create a source and some destination object groups and/or tags to simplify outbound internet traffic rules and support other URL allowlists for Azure Arc extensions.
• Use Azure Monitor track Azure Arc-enabled Kubernetes cluster connectivity status and raise alerts that notify administrators when connectivity states change. Consider using Azure Resource Graph queries along with Azure Monitor.
• When using the semi-connected network connectivity mode, connect your cluster to Azure Arc at least once every 30 days to export billing data, and at least once every 90 days to renew managed identity certificates and update Azure Arc-enabled Kubernetes resource and agents.

Next steps

For more information about your hybrid and multicloud cloud journey, see the following articles:

• Review the prerequisites for Azure Arc-enabled Kubernetes.
• Review validated Kubernetes distributions for Azure Arc-enabled Kubernetes.
• Review Manage hybrid and multicloud environments.
• Learn how to Connect an existing Kubernetes cluster to Azure Arc.
• Learn about Azure Arc-enabled Kubernetes connectivity modes.
• Learn about Data exchanged between Azure Arc-enabled Kubernetes clusters and Azure.
• Learn how to Apply configurations at-scale using Azure Policy.
• Review Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes.
• Understand Azure Arc-enabled Open Service Mesh to secure Azure Arc-enabled Kubernetes cluster communication and the services observability critical design area.
• Learn how to Access Azure Arc-enabled Kubernetes clusters from anywhere using Cluster Connect.
• Experience Azure Arc-enabled Kubernetes automated scenarios with Azure Arc Jumpstart.
• Learn more about Azure Arc via the Azure Arc learning path.
• See Frequently Asked Questions - Azure Arc-enabled for answers to most common questions.