What is Azure Arc?

Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud.

With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape.

This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure.

What is Azure Private Endpoint?

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. By using a private IP address from your virtual network, the private endpoint brings the service into your virtual network, ensuring that traffic between your virtual network and the service remains private. This setup eliminates exposure from the public internet, enhancing security. Private endpoints can be used with various Azure services, such as Azure Storage, Azure SQL Database, and Azure Cosmos DB. They provide secure connectivity between clients on your virtual network and the service, using the same connection strings and authorization mechanisms as public endpoint.

What are the benefits of configuring private link for your arc machines?

Enabling Azure Arc for your machines involves several network and system requirements. Organizations are sometimes concerned about allowing certain public endpoints through their firewall and proxy. In this context, Private Endpoints can be used to ensure that some connections to Azure remain within the Microsoft backbone network. While this service does not eliminate the need for internet connectivity entirely, you will still need to allow public access for Microsoft Entra ID and Azure Resource Manager servers. However, this method significantly reduces the challenge of IP/FQDN whitelisting for internet access.

When you create private endpoints in a virtual network for Azure Arc, it will create a resource with Azure Hybrid Compute as the target. Additionally, it will create several private DNS zones and assign them to the private endpoint. The private endpoint will have IPs assigned from the specified virtual network address range. See the screenshot below. These IPs are now directly linked to Azure Arc services, enabling private connectivity through Azure

 

LAB Architectural Diagram

LAB Pre-requisites

• An On-premises machine. (Internet traffic can be directed firewall or proxy for security)
• On-premises DNS
• An Azure Subscription
• VPN/Express-route Connection between On-premises and Azure Infrastructure
• Understand the Limitations and features

The components that will be created as part of LAB

• A private endpoint which has Hybrid compute as source point
• Private DNS zones for Azure Arc services
• A private DNS resolver in Azure. Azure DNS doesnt accesspt dns queries coming from non-azure sources. Hence you need to configure azure private dns zone .  You will get a private IP while creating inbound enpoint for resolver.
• DNS Forwarder need to be created in on-premise DNS to private IP of Azure private DNS resolver's inbound IP
• Powershell script to onboard machine
• Azure arc machine : Will be created once on premise machine gets connected to azure arc.

Traffic flow

There are three kind of traffic flow is involved here. 

1. DNS flow: To resolve the domain names of private endpoints
2. Private endpoint flow: Actual traffic to Azure arc services
3. Internet flow: Traffic to Microsoft Entra ID and Azure Resource manager control plane

Private endpoint and private DNS Flow

• Let's suppose the Azure Arc agent initiates traffic to one of the Azure Arc services FQDNs, such as gbl.his.arc.azure.com.
• On-premises machines need to resolve the FQDN to an IP address, so they send a DNS request to the on-premises DNS server.
• The DNS forwarder is configured to send *.gbl.his.arc.azure.com DNS queries to the Private DNS resolver configured in Azure.
• The Private DNS resolver receives the DNS query and resolves it, as these domains are already linked to the virtual network where the resolver resides.
• Once the on-premises DNS server receives the IP resolution from the Azure DNS resolver, it sends it back to the on-premises machine.
• Now that the on-premises machine has the IP (private IP), it sends the actual traffic to the IP of the private endpoint.
• The private endpoint receives the traffic, and since this interface is directly linked to the Azure Arc services (the intended destination), the connectivity is successfully established.

Steps:

• Generate Onboarding script.
• Private endpoint can be created while generating the script itself.
• Go to Azure Arc-->Machines-->Create

• You can select option which best suited for you. I am selecting Add multiple servers.

• Provide Resource Group,Region,OS details.
• Create Private endpoint using option provided
• Provide Virtual Network and subnet for private endpoint

• Provide or create new service principal. Note secret of service principal

• Goto Download and run script session. You can copy script and run it directly or you can download script and run it. Please do not forget to update service principal secret in script.

• You can verify the resources created as part of Private endpoint created
• There will be three private DNS zones created

• A private endpoint resource will be created with hybrid compute as target resource

• Create a private DNS resolver and inbound endpoint in it. 

• Provide necessary details.

• Add inbound endpoint and click create

• Note the private IP of inbound endpoint, which is needed to specify DNS forwarder in on-premise

 

• Configure DNS forwarder in On-premise DNS

• Add all three private DNS zone domains

• Bypass private DNS zone domains  (This step is required if you have internet proxy in your infrastructure.

• Now you are all set to deploy script generated in for onboarding

• Now you can see the onboarded machine in azure arc portal