We’re excited to announce the General Availability of Arc gateway for Arc‑enabled servers. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc.
What’s new: To Arc‑enable a server, customers previously had to allow 19 distinct endpoints. With Arc gateway GA, you can do the same with just 7, a ~63% reduction that removes friction for security and networking teams.
Why This Matters
Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway:
- Accelerates onboarding for Arc‑enabled servers by cutting down the proxy/firewall approvals needed to get started.
- Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure.
How Arc gateway works
Arc gateway introduces two components that work together to streamline connectivity:
- Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint.
- Azure Arc Proxy (on every Arc‑enabled server): A component of the connected machine agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required.
At a high level, traffic flows: Arc agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service.
Scenario Coverage
As part of this GA release, common Arc‑enabled Server scenarios are supported through the gateway, including:
- Windows Admin Center
- SSH
- Extended Security Updates (ESU)
- Azure Extension for SQL Server
For other scenarios, some customer‑specific data plane destinations (e.g., your Log Analytics workspace or Key Vault URLs) may still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. Over time, the number of scenarios filly covered by Arc gateway will continue to grow.
Get started
- Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell.
- Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall.
- Onboard or update servers to use your Arc gateway resource and start managing them with Azure Arc.
For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. You can also watch a quick Arc gateway Jumpstart demo to see the experience end‑to‑end.
FAQs
- Does Arc gateway require new software on my servers?
No additional installation - Arc Proxy is part of the standard connected machine agent for Arc‑enabled servers. - Will every Arc scenario route through the gateway today?
Many high‑value server scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. - When will Arc gateway for Azure Local be GA?
Today! Please refer to the Arc gateway GA on Azure Local Announcement to learn more. - When will Arc gateway for Arc-enabled Kubernetes be GA?
We don't have an exact ETA to share quite yet for Arc gateway GA for Arc-enabled Kubernetes. The feature is currently still in Public Preview. Please refer to the Public Preview documentation for more information.
Tell us what you think
We’d love your feedback on Arc gateway GA for servers—what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.
Microsoft