To onboard a server to Azure Arc, you will need to install the Azure Connected Machine Agent, which communicates outbound securely to Azure Arc over TCP port 443 with a couple of service tags and URLs. To check if the network connection for the Azure Arc Connected Machine Agent is blocked, I put together a couple of commands you can run on your machine. These commands allow you to see if the machine can connect to the specific URLs needed for the Azure Connected Machine agent.

You can find the up-to-date documentation for the Azure Connected Machine agent on Microsoft Docs.

If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. When you only allow the IP ranges or domain names required for the agent to communicate with the service. Your servers need to have access to the following URLs and Service Tags (list of IP addresses):

URLs:

  • management.azure.com (Azure Resource Manager)
  • login.windows.net (Azure Active Directory)
  • login.microsoftonline.com (Azure Active Directory)
  • dc.services.visualstudio.com (Application Insights)
  • *.guestconfiguration.azure.com (Guest Configuration)
  • *.his.arc.azure.com (Hybrid Identity Service)
  • www.office.com (Office 365)

Service Tags:

  • AzureActiveDirectory
  • AzureTrafficManager
  • AzureResourceManager
  • AzureArcInfrastructure

For a list of IP addresses for each service tag/region, see the JSON file – Azure IP Ranges and Service Tags – Public Cloud.

To check if network connectivity for the Azure Arc Connected Machine Agent is blocked you can use for example PowerShell. With the Test-NetConnection PowerShell cmdlet, you can see if you can reach the specific endpoint on port 443. In PowerShell 7 on Linux or macOS you can use the Test-Connection cmdlet in the same way. With this command you can check if DNS can resolve the URL and if the endpoint is reachable on the TCP port.

				
					Test-NetConnection management.azure.com -Port 443
				
			

Make sure you check all the above listed URLs. For * you will need to add the region where your server needs to connect to. In my case this is the Azure West Europe region.

				
					Test-NetConnection weu.his.arc.azure.com -Port 443
				
			
PowerShell Test NetConnection Azure Arc API

To find all the IP addresses which are needed for the Azure Arc Connected Machine agent, you can download the JSON file which includes the Azure Service Tags. You can either scroll through the file itself, or you can use my PowerShell script to quickly get all the IP ranges needed for Azure Arc.

				
					$ServiceTags = Get-Content -path .\ServiceTags_Public_20210510.json -Raw | ConvertFrom-Json

foreach ($value in $ServiceTags.values)  {
    if ($value.properties.systemService -eq "AzureArcInfrastructure" -or "AzureActiveDirectory" -or "AzureTrafficManager" -or "AzureResourceManager"){
        Write-Output $value.name
        Write-Output $value.properties.addressPrefixes
    }
}
				
			

Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the AzureCloud Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic. For more information, review Service tags overview.

I hope this quick blog post helps you to troubleshoot any issue with network connectivity related to the Azure Arc Connected Machine agent and allows you to see if the local firewall blocks any traffic. If you need more troubleshooting information check out the following Microsoft Docs article and if you have any questions, feel free to leave a comment.

About the author

Hassan Latif

A Microsoft Certified Trainer, a hobby blogger and geek

Leave a Comment