Blog Post

Azure Arc Blog
8 MIN READ

Addressing Air Gap Requirements through Secure Azure Arc Onboarding

AkashKumarSingh's avatar
Oct 06, 2025

Architectural Patterns, Control and Data Plane Separation, and Options Analysis

Overview

Regulated sectors like finance, healthcare, and government face strict security requirements, including the need for air gap environments that isolate critical systems from external networks. While essential for reducing risk, this isolation complicates cloud adoption and remote management. As organisations modernise with hybrid and multi-cloud strategies, unified ITSecOps becomes crucial. Azure Arc offers a centralised platform for securely managing diverse IT assets.

Adopting a zero-trust approach—assuming breach and requiring ongoing verification—is now the best practice for cloud and hybrid setups. This article outlines air gap challenges, describes secure Azure Arc onboarding, and shares proven architectural patterns for maintaining secure, compliant connectivity, drawing on experience with regulated clients and industry experts.

Examining the Complexities of Air Gap Implementation

An air gap refers to a network security measure that physically or logically separates a network from untrusted networks, such as the public internet or even other internal networks. In practice, this means critical systems—such as domain controllers, sensitive databases, and core infrastructure—are either disconnected from external networks or only permitted highly controlled, monitored connections. Air gaps are prevalent in sectors with strict data sovereignty, regulatory, and security requirements, including banking, defence, and utilities.

While air gaps provide robust protection against external threats, they also hinder the adoption of modern cloud management tools, patching, monitoring, and automation. The challenge lies in enabling secure connectivity for management and monitoring without weakening the protective isolation that air gaps provide.

Consideration of Air-Gapped Security

In the current landscape of rapidly evolving cyber threats, it is essential for organisations to maintain rigorous processes and systems to ensure ongoing protection. For example, solutions such as anti-virus or anti-malware software rely on access to the latest threat signature updates to effectively detect and mitigate risks. This requirement inherently introduces the need for some form of connectivity (example via enterprise proxy, software distribution utilities, satellite servers etc.), even within air-gapped environments. The key architectural principle in such scenarios is to.

  • Adopt a "deny by default" approach, whereby connectivity is only granted based on well-documented, justified, monitored, and logged exceptions.
  • All permitted communications should be continuously scrutinised, and any anomalous or unauthorised activity should be promptly blocked.
  • Inbound connections should be strictly restricted or, where absolutely necessary, be limited to tightly controlled interfaces, such as a meet-me room pattern, to minimise exposure.

Many organisations tend to interpret the air gap concept in absolute terms. Nevertheless, as operational requirements may dictate, certain tools and processes could require controlled and carefully managed connectivity. Consequently, emphasis should be placed on establishing robust governance, monitoring, and control frameworks to ensure that any exceptions to isolation are fully justified, secure, and adhere to both organisational policies and regulatory standards.

Clarifying Control Plane and Data Plane Isolation

Azure offer seamless extensibility of Azure Control Plane capability to On-Premises or even Data Plane Operation running on other cloud. In any Azure hybrid or cloud architecture—especially in air-gapped environments—distinguishing between the control plane and data plane is vital for managing risk and ensuring compliance.

  • Azure Control Plane Operations: The Azure control plane (Azure Resource Manager) oversees essential management and orchestration activities, including configuration, deployment, policy enforcement, and authentication. By maintaining clear separation of control plane traffic, organisations enable robust policy enforcement and ensure that management commands are delivered securely to authorised entities.
  • Data Plane Operations: The data plane pertains to the actual working compute, data, and operational traffic. Isolating the data plane ensures that sensitive or regulated information & data operation traffic remains securely within trusted boundaries and cannot be exfiltrated or manipulated by external actors.

This demarcation is critical to understand what Data is going to Azure Control Plane vs What was operation on Data Plane remain there and boundaries across both does not traverse. By architecting for strong separation and explicit control of both planes, organizations can enforce granular security, meet regulatory requirements, and better contain threats.

Azure Arc Connectivity Patterns Overview

Azure Arc enables organisations to extend Azure management and security capabilities to servers, Kubernetes clusters, and applications running anywhere—on-premises, in other clouds, or at the edge. To accommodate diverse security and connectivity requirements, Azure Arc supports multiple networking patterns, each with distinct security and operational implications. I have accumulated patterns for restricted environment as Air Gap, as detailed in the provided asset, address varying degrees of isolation and control—ranging from direct internet connectivity to intricate multi-firewall and proxy scenarios. I am sharing some of patterns that I have worked with various organizations addressing Air Gap requirements. Please note that technology keeps on maturing so Azure will also have enhancement in future so some of patterns mentioned below may change in future. Assume this relevant as of time this blog is published.

  • Pattern 1: Firewall (Internet Facing) + Private Link
  • Pattern 2: Firewall (Airgap) + Firewall (Internet Facing) + Private Link
  • Pattern 3: Firewall (Airgap) + Firewall (Internet Facing) + Arc Gateway
  • Pattern 4: Azure Firewall (Explicit Proxy) + Private Link
  • Pattern 5: Azure Firewall (Explicit Proxy) + Arc Gateway

Each pattern is designed to address specific regulatory, operational, and security requirements, and can be tailored to fit the unique needs of an organisation’s environment.

Azure Arc Secured Connectivity Patterns

Pattern

Control Plane Isolation

Data Plane Isolation

Key Security Features

Operational Complexity

Suitable For

Firewall (Internet Facing) + Private Link

Outbound management via firewall/proxy to Azure

Private Link over ExpressRoute/VPN for data traffic

Centralized outbound control, private data transfer, firewall inspection

Moderate

Enterprises with hybrid/multi-cloud and moderate air gap needs

Firewall (Airgap) + Firewall (Internet Facing) + Private Link

Dual firewall/proxy layers for management traffic

Private Link for isolated data transfer

Layered defence, strong control, detailed auditing

High

Regulated industries with extreme isolation needs

Firewall (Airgap) + Firewall (Internet Facing) + Arc Gateway

All traffic via Arc Gateway, traversing both firewalls

No Private Link; Arc Gateway handles all communication

Central egress control, reduced allowed endpoints, simplified rules

High

Environments needing minimized external endpoints and proxy-based inspection

Azure Firewall (Explicit Proxy*) + Private Link

Explicit proxy for control plane, traffic inspected and enforced

Private Link for data plane, traverses hybrid network

Fine-grained inspection, easy compliance, private data exchange

Moderate to High

Organizations prioritizing outbound inspection and private only connection

Azure Firewall (Explicit Proxy*) + Arc Gateway

Explicit proxy and Arc Gateway for all management traffic

No Private Link; all data via Arc Gateway

Maximum outbound control, strict endpoint whitelisting, exhaustive monitoring

High

Critical/regulated sites needing stringent outbound control and logging

* Azure Firewall Explicit Proxy is under Preview (as of now), Other Enterprise Firewall Proxy capabilities could also be explored.

Detailed Architecture Patterns for Secure Azure Arc Connectivity

Pattern 1: Firewall (Internet Facing) + Private Link

In this architecture, the Azure Arc-enabled servers reside behind a corporate firewall that controls outbound internet access. Connectivity to Azure Control Plane is established via a public endpoint via Enterprise Firewall/Proxy, while sensitive data plane traffic leverages Azure Private Link for secure, private communication over an ExpressRoute or site-to-site VPN. This pattern balances ease of deployment with strong security controls:

  • Description: Outbound control plane traffic passes through the organisation’s firewall or proxy, while data plane communication is routed privately via Azure Private Link.
  • Benefits: Centralised control of internet-bound traffic, secure private data transfer, and simplified network management.
  • Security Considerations: Ensure firewall rules are tightly scoped, monitor outbound traffic, and leverage Azure Policy for compliance enforcement.

Pattern 2: Firewall (Airgap) + Firewall (Internet Facing) + Private Link

This pattern introduces an additional air gap firewall or proxy between the Azure Arc-enabled servers and the internet-facing firewall. Control plane traffic is routed through two layers of firewalls—first the air gap firewall/proxy, then the standard internet-facing firewall/proxy—before reaching Azure. Data plane traffic continues to use Private Link over private hybrid connectivity.

  • Description: Control plane connections traverse both air gap and internet-facing firewalls/proxies, while sensitive data remains on private links.
  • Benefits: Enhanced security through layered defence, reduced risk of direct internet exposure, alignment with strict regulatory requirements.
  • Security Considerations: Rigorous management of firewall rules and proxy policies; comprehensive logging and monitoring of all traversed segments.

Pattern 3: Firewall (Airgap) + Firewall (Internet Facing) + Arc Gateway

For environments requiring even tighter control, this pattern replaces Private Link with an Arc Gateway, which acts as a centralised, managed proxy for Azure Arc connectivity. All control and data plane traffic is routed through the air gap and internet-facing firewalls to the Arc Gateway, which then securely forwards traffic to Azure.

  • Description: Azure Arc agents communicate exclusively through the Arc Gateway, with all traffic passing through multiple firewalls and fixed, whitelisted URLs.
  • Benefits: Centralised traffic inspection and logging, minimised attack surface, no direct Private Link coexistence required.
  • Security Considerations: Maintain strict control over allowed URLs, continuously update firewall whitelists, and employ threat detection on gateway traffic.

Pattern 4: Azure Firewall (Explicit Proxy) + Private Link

This pattern leverages Azure Firewall as an explicit proxy for control plane traffic, while data plane communications continue to use Private Link over private hybrid connectivity. Azure Arc Agent communicates strictly through fixed proxy, allowing for granular inspection and policy enforcement. (As of date this blog written, Azure Firewall Explicit Proxy Feature is under Preview)

  • Description: Explicit proxying of control plane traffic via Azure Firewall, with all sensitive data routed private link.
  • Benefits: Fine-grained control and visibility, simplified audit and compliance, strong segregation of control and data flows.
  • Security Considerations: Ensure proxy configurations are hardened, monitor for proxy bypass attempts, and enforce least privilege on proxy rules.

Pattern 5: Azure Firewall (Explicit Proxy) + Arc Gateway

The most restrictive pattern combines explicit proxying with the Arc Gateway, ensuring that all Azure Arc traffic—both control and data plane—passes through both the proxy and the gateway. This is particularly suitable for highly regulated or classified environments requiring maximum oversight.

  • Description: All Azure Arc communication is funnelled through an explicit proxy and then the Arc Gateway, with fixed, whitelisted endpoints.
  • Benefits: Maximum control and inspection capabilities, alignment with the most stringent compliance requirements, thorough logging and traceability.
  • Security Considerations: Regularly review and update proxy and gateway configurations, restrict outbound connectivity to only required endpoints, and implement layered monitoring.

Operationalising Azure Arc in Air Gapped Environments

Successfully deploying and managing Azure Arc in air gapped or highly controlled environments requires more than just network design. Organisations should adopt the following best practices:

  • Comprehensive Monitoring: Leverage Azure Monitor, Log Analytics, and integrated dashboards (e.g., Azure Managed Grafana, workbooks) for real-time visibility and alerting across the hybrid estate.
  • Configuration and Inventory Management: Use Azure Policy and Update Manager to enforce compliance, manage changes, and maintain a secure configuration baseline.
  • Governance and Audit: Implement rigorous access controls, maintain detailed audit trails, and conduct regular reviews to ensure ongoing compliance with zero trust principles.
  • Automated Response: Where possible, automate remediation and alerting to minimise response times and reduce manual intervention risks.

These operational measures, combined with robust network architecture, enable secure and efficient Azure Arc onboarding and management even in the most restrictive environments.

Final Remarks

Air gap requirements remain a significant challenge for organisations seeking to modernise their IT operations while maintaining the highest levels of security and compliance. Azure Arc, when deployed using the detailed architecture patterns outlined above, provides a powerful solution for extending cloud management into these controlled environments. By embracing zero trust security principles and adopting a layered, pattern-based approach to connectivity, cloud architects and IT security professionals can ensure both operational agility and uncompromised security.

When designing your Azure Arc onboarding strategy, carefully assess your regulatory landscape, risk tolerance, and operational needs. Select the connectivity pattern that best aligns with your security objectives and reinforce it with comprehensive monitoring, governance, and automation. In doing so, you can unlock the full potential of Azure Arc hybrid and multi-cloud management—without sacrificing the integrity of your air gapped environments.

Updated Oct 06, 2025
Version 1.0