Support matrix for Azure Arc-enabled VMware vSphere
This article documents the prerequisites and support requirements for using Azure Arc-enabled VMware vSphere to manage your VMware vSphere VMs through Azure Arc.
To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.
VMware vSphere requirements
The following requirements must be met in order to use Azure Arc-enabled VMware vSphere.
Supported vCenter Server versions
Azure Arc-enabled VMware vSphere works with vCenter Server versions 7 and 8.
Note
Azure Arc-enabled VMware vSphere currently supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it's not recommended to use Arc-enabled VMware vSphere with it at this point.
Required vSphere account privileges
You need a vSphere account that can:
- Read all inventory.
- Deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.
Important
As part of the Azure Arc-enabled VMware onboarding script, you will be prompted to provide a vSphere account to deploy the Azure Arc resouce bridge VM on the ESXi host. This account will be stored locally within the Azure Arc resource bridge VM and encrypted as a Kubernetes secret at rest. The vSphere account allows Azure Arc-enabled VMware to interact with VMware vSphere. If your organization practices routine credential rotation, you must update the credentials in Azure Arc-enabled VMware to maintain the connection between Azure Arc-enabled VMware and VMware vSphere.
Resource bridge resource requirements
For Arc-enabled VMware vSphere, resource bridge has the following minimum virtual hardware requirements:
- 8 GB of memory
- 4 vCPUs
- An external virtual switch that can provide access to the internet directly or through a proxy. If internet access is through a proxy or firewall, ensure these URLs are allow-listed.
Resource bridge networking requirements
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:
Outbound connectivity requirements
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Discover container images for Arc Resource Bridge. |
| Microsoft Container Registry | 443 | *.data.mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
| Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
| Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
| Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
| Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
| Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
| Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
| Python package | 443 | pypi.org, *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | pythonhosted.org, *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
Inbound connectivity requirements
Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.
| Service | Port | IP/machine | Direction | Notes |
|---|---|---|---|---|
| SSH | 22 | appliance VM IPs and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | appliance VM IPs and Management machine |
Bidirectional | Management of the appliance VM. |
| SSH | 22 | control plane IP and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | control plane IP and Management machine |
Bidirectional | Management of the appliance VM. |
| HTTPS | 443 | private cloud control plane address and Management machine |
Management machine needs outbound connection. | Communication with control plane (ex: VMware vCenter address). |
In addition, VMware VSphere requires the following:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| vCenter Server | 443 | URL of the vCenter server | Appliance VM IP and control plane endpoint need outbound connection. | Used to by the vCenter server to communicate with the Appliance VM and the control plane. |
| VMware Cluster Extension | 443 | azureprivatecloud.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images for Microsoft.VMWare and Microsoft.AVS Cluster Extension. |
| Azure CLI and Azure CLI Extensions | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and Azure CLI extensions. |
| Azure Resource Manager | 443 | management.azure.com |
Management machine needs outbound connection. | Required to create/update resources in Azure using ARM. |
| Helm Chart for Azure Arc Agents | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Data plane endpoint for downloading the configuration information of Arc agents. |
| Azure CLI | 443 | - login.microsoftonline.com - aka.ms |
Management machine needs outbound connection. | Required to fetch and update Azure Resource Manager tokens. |
For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).
Azure role/permission requirements
The minimum Azure roles required for operations related to Arc-enabled VMware vSphere are as follows:
| Operation | Minimum role required | Scope |
|---|---|---|
| Onboarding your vCenter Server to Arc | Azure Arc VMware Private Clouds Onboarding | On the subscription or resource group into which you want to onboard |
| Administering Arc-enabled VMware vSphere | Azure Arc VMware Administrator | On the subscription or resource group where vCenter server resource is created |
| VM Provisioning | Azure Arc VMware Private Cloud User | On the subscription or resource group that contains the resource pool/cluster/host, datastore and virtual network resources, or on the resources themselves |
| VM Provisioning | Azure Arc VMware VM Contributor | On the subscription or resource group where you want to provision VMs |
| VM Operations | Azure Arc VMware VM Contributor | On the subscription or resource group that contains the VM, or on the VM itself |
Any roles with higher permissions on the same scope, such as Owner or Contributor, will also allow you to perform the operations listed above.
Guest management (Arc agent) requirements
With Arc-enabled VMware vSphere, you can install the Arc connected machine agent on your VMs at scale and use Azure management services on the VMs. There are additional requirements for this capability.
To enable guest management (install the Arc connected machine agent), ensure the following:
- VM is powered on.
- VM has VMware tools installed and running.
- Resource bridge has access to the host on which the VM is running.
- VM is running a supported operating system.
- VM has internet connectivity directly or through proxy. If the connection is through a proxy, ensure these URLs are allow-listed.
Additionally, be sure that the requirements below are met in order to enable guest management.
Supported operating systems
Make sure you're using a version of the Windows or Linux operating systems that are officially supported for the Azure Connected Machine agent. Only x86-64 (64-bit) architectures are supported. x86 (32-bit) and ARM-based architectures, including x86-64 emulation on arm64, aren't supported operating environments.
Software requirements
Windows operating systems:
- NET Framework 4.6 or later is required. Download the .NET Framework.
- Windows PowerShell 5.1 is required. Download Windows Management Framework 5.1..
Linux operating systems:
- systemd
- wget (to download the installation script)
Networking requirements
The following firewall URL exceptions are needed for the Azure Arc agents:
| URL | Description |
|---|---|
aka.ms |
Used to resolve the download script during installation |
packages.microsoft.com |
Used to download the Linux installation package |
download.microsoft.com |
Used to download the Windows installation package |
login.windows.net |
Microsoft Entra ID |
login.microsoftonline.com |
Microsoft Entra ID |
pas.windows.net |
Microsoft Entra ID |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource |
*.his.arc.azure.com |
Metadata and hybrid identity services |
*.guestconfiguration.azure.com |
Extension management and guest configuration services |
guestnotificationservice.azure.com, *.guestnotificationservice.azure.com |
Notification service for extension and connectivity scenarios |
azgn*.servicebus.windows.net |
Notification service for extension and connectivity scenarios |
*.servicebus.windows.net |
For Windows Admin Center and SSH scenarios |
*.blob.core.windows.net |
Download source for Azure Arc-enabled servers extensions |
dc.services.visualstudio.com |
Agent telemetry |