Announcing the General Availability of the Azure Arc Gateway for Arc-enabled Kubernetes!

We’re excited to announce the General Availability of Arc gateway for Arc‑enabled Kubernetes. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc.

What’s new: To Arc‑enable a Kubernetes Cluster, customers previously had to allow 18 distinct endpoints. With Arc gateway GA, you can do the same with just 9, a 50% reduction that removes friction for security and networking teams. 

Why This Matters

Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway:

• Accelerates onboarding for Arc‑enabled Kubernetes by cutting down the proxy/firewall approvals needed to get started.
• Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure. 

How Arc gateway works 

Arc gateway introduces two components that work together to streamline connectivity:

1. Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint. 
2. Azure Arc Proxy (on every Arc‑enabled Kubernetes Cluster): A component of the Arc K8s agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required. 

At a high level, traffic flows: Arc-enabled Kubernetes agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service.

Scenario Coverage

As part of this GA release, Arc-enabled Kubernetes Onboarding and other common Arc‑enabled Kubernetes scenarios are supported through Arc gateway, including:

• Arc-enabled Kubernetes Cluster Connect
• Arc-enabled Kubernetes Resource View
• Custom Location
• Azure Policy's Extension for Azure Arc

For other scenarios, including Microsoft Defender for Containers, Azure Key Vault, Container Insights in Azure Monitor, etc., some customer‑specific data plane destinations (e.g., your Log Analytics workspaces, Storage Accounts, or Key Vault URLs) still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. 

Get started

1. Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell. 
2. Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall.
3. Onboard or update clusters to use your Arc gateway resource.

For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. 

FAQs

• Does Arc gateway require new software on my clusters?
  • No additional installation - Arc Proxy is part of the standard Arc-enabled Kubernetes Agent.
• Will every Arc scenario route through the gateway today?
  • Arc-enablement, and other scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. 
• What is the status of Arc gateway for other infrastructure types?
  • Arc gateway is already GA for Arc-enabled Servers, and Azure Local. 

Tell us what you think

We’d love your feedback on Arc gateway GA for Kubernetes - what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.