What is Azure Arc?

Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud.

With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape.

This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure.

What is Azure Arc Gateway?

If you use enterprise proxies to manage outbound traffic, the Azure Arc gateway lets you onboard infrastructure to Azure Arc using only seven (7) endpoints. With Azure Arc gateway, you can:

• Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
• View and audit all traffic an Azure Connected Machine agent sends to Azure via the Arc gateway.

How the Azure Arc gateway works

Azure Arc gateway consists of two main components:

• The Arc gateway resource: An Azure resource that serves as a common front-end for Azure traffic. This gateway resource is served on a specific domain. Once the Arc gateway resource is created, the domain is returned to you in the success response.
• The Arc Proxy: A new component added to Arc agentry. This component runs as a service called "Azure Arc Proxy" and acts as a forward proxy used by the Azure Arc agents and extensions. No configuration is required on your part for the Arc Proxy. This Proxy is part of Arc core agentry and runs within the context of an Arc-enabled resource.

When the gateway is in place, traffic flows via the following hops: Arc agentry → Arc Proxy → Enterprise proxy → Arc gateway → Target service

Important Note: The Arc gateway feature for Azure Arc-enabled servers is currently in Public Preview in all regions where Azure Arc-enabled servers is present

LAB Architecture

Lab pre-requisites:

• Set up and on-premises environment with an VM and Enterprise Proxy.
• An Azure subscription where we can on board machine.
• Understand the limitations and system requirements: Limitations

 

Please note the hostname as this will show in azure arc portal once you on board machine into azure arc.

 

Also, you can verify whether proxy is configured using command netsh winhttp show proxy

 

Note: You don't need to use proxy connectivity option if your internet traffic is already routing via proxy in the network level. You can use this option if you need your agent to communicate via a different proxy which not already configured at network level.

Steps to deploy Azure Arc Gateway with Proxy

Create an Azure Arc Gateway:

Go to Azure Arc Gateway session, click on create and create an arc gateway

 

 

 

 

Generate Script to on-board on-premises machine:

Go to Azure Arc-->Machines and Click on Create.

 

Select an option best suites for you . I am using  Add multiple servers Option

Fill the details, provide your proxy sever URL and select arc gateway created

 

Provide service principal already have or create new one. 

Provide tags if you need.

 

Go to download and run script option. Either you can download or copy the script and directly and run it in your machine.

Update Service Principal secret inside script then the script is ready to use.

 

Run the script in on-premises machine

Go to on-premises machine PowerShell and run script. The script will install the Azure Arc agent and connect the system with Arc control Plane. The script will take care of proxy direction and arc gateway setting.

 

Not necessarily these steps need to do by PowerShell. You are having multiple way to connect machine to azure arc. Eg: CLI, API calls etc. Please go through Azure arc documentation to know more. Azure Arc Enabled Servers

The following action will take place once you run the script.

• Azure Connected Machine Agent Installation
• Setting proxy configuration
• Enabling and starting Azure Arc Proxy service
• Connection Type will set to 'gateway'
• Connect machine to Azure

Now your machine is onboarded, and you can enjoy all the services in azure. In nutshell you can treat your on-premise machine as azure vm and apply all the related series.