Starting in Azure Local version 2510, we’re excited to announce the General Availability of Software Defined Networking (SDN) on Azure Local enabled by Azure Arc. This release introduces cloud-native networking capabilities for access control at the network layer, utilizing Network Security Groups (NSGs) on Azure Local.
Key highlights in this release are:
1- Centralized network management: Manage Logical networks, network interfaces, and NSGs through the Azure control plane – whether your preference is the Azure Portal, Azure Command-Line Interface (CLI), or Azure Resource Manager templates.
2- Fine-grained traffic control: Safeguard your edge workloads with policy-driven access controls by applying inbound and outbound allow/deny rules on NSGs, just as you would in Azure.
3- Seamless hybrid consistency: Reduce operational friction and accelerate your IT staff’s ramp-up on advanced networking skills by using the same familiar tools and constructs across both Azure public cloud and Azure Local.
Software Defined Networking (SDN) forms the backbone of delivering Azure-style networking on-premises. Whether you’re securing enterprise applications or extending cloud-scale agility to your on-premises infrastructure, Azure Local, combined with SDN enabled by Azure Arc, offers a unified and scalable solution. Try this feature today and let us know how it transforms your networking operations!
Feature Capabilities
Here’s what you can do today with SDN enabled by Azure Arc:
✅ Run SDN control plane (Network Controller) as a Failover Cluster service on the Azure Local physical hosts — no VMs required!
✅ Deploy logical networks — use VLAN-backed networks in your datacenter that integrate with SDN enabled by Azure Arc.
✅ Attach VM Network Interfaces — assign static or DHCP IPs to VMs from logical networks.
✅ Apply NSGs - create, attach, and manage NSGs directly from Azure on your logical networks (VLANs in your datacenter) and/or on the VM network interface. This enables a generic rule set for VLANs, with a crisper rule set for individual Azure Local VM network interface using a complete 5-tuple control: source and destination IP, port, and protocol.
✅ Use Default Network Policies — apply baseline security policies during VM creation for your primary NIC. Select well-known inbound ports such as HTTP (while we block everything else for you), while still allowing outbound traffic. Or select an existing NSG you already have!
An example of setting a default network policy on the network interface to allow HTTP traffic on port 80 of a virtual machine✅ Azure Arc Resource Bridge (ARB) Disaster Recovery capable - In case ARB on the cluster needs to be recovered, NSGs and its rules can be recovered along with VMs and its associated resources.
SDN enabled by Azure Arc vs. SDN managed by on-premises tools
Choosing Your Path: Some SDN features like virtual networks (vNETs), Load Balancers (SLBs), and Gateways are not yet supported in SDN enabled by Azure Arc. But good news: you’ve still got options.
If your workloads need those features today, you can leverage SDN managed by on-premises tools:
The SDN managed by on-premises tools continues to provide full-stack SDN capabilities, including SLBs, Gateways, and VNET peering, while we actively work on bringing this additional value to complete SDN enabled by Azure Arc feature set.
You must choose one of the modes of SDN management and cannot run in a hybrid management mode, mixing the two. Please read this important consideration section before getting started!
Thank You to Our Community
This milestone was only possible because of your input, your use cases, and your edge innovation. We're beyond excited to see what you build next with SDN enabled by Azure Arc.
To try it out, head to the Azure Local documentation
Let’s keep pushing the edge forward. Together!
Microsoft