What is Azure Arc Gateway and When to Use It?
Simplify firewall and proxy configuration for Azure Arc customers who require more security and control over their outbound communications.
Azure Arc Gateway is a hidden champion in your Azure Hybrid box of tricks.
How to deploy Azure Arc Gateway
There are several ways to deploy Azure Arc Gateway, including command-line interface (CLI) and PowerShell but the simplest way is using the Azure Portal.
To complete the deployment, your account requires the following permissions.
- Microsoft.HybridCompute/settings/write
- Microsoft.hybridcompute/gateways/read
- Microsoft.hybridcompute/gateways/write
Let’s get started.
- In the Azure Portal, search for Azure Arc as shown below.
- In the Azure Arc Overview, expand the Management menu and look for Azure Arc Gateway.
- On the next blade, select + Create.
- Add your details, like the name of the gateway, subscription, and region.
- Then click Deploy.
The deployment takes about 5 minutes. After the deployment you will have all the required information to configure the Azure Arc Agent to use Azure Arc Gateway.
What is Azure Arc Gateway?
Azure Arc Gateway is a service that streamlines the deployment of URLs for Enterprise Proxy and Firewall configuration when using Azure Arc-enabled resources.
Azure Arc Gateway uses two components:
- Arc Gateway Resource – used as a front-end for Azure network traffic. It enabled organizations to have a unique endpoint for use in enterprise proxy configurations.
- Arc Proxy – part of the Azure Arc agent, the proxy works as a forward proxy and it routes agent and extension traffic to the Arc Gateway.
Both components are designed to simplify the configuration of URLs, port and IP address requirements for simplified onboarding of IT infrastructure to Azure Arc. In the past, you needed to whitelist and configure several 10-20 URLs, ports and services in your firewall configuration. Azure Arc Gateway reduces the requirement to only a handful of URLs:
- <uniq-guid of the gateway>.gw.arc.azure.com
- gbl.his.arc.azure.com
- login.microsoftonline.com
- manamgement.azure.com
- <region>.his.arc.azure.com
- packages.microsoft.com
Microsoft is constantly updating its list for Azure Arc Gateway while the service is in preview.
There are scenarios where you need to add more URLs, especially for newly onboarded services. Two examples are Azure Arc-enabled Data Services and Azure Key Vault Certificate Sync.
Port and protocol requirements are also simplified. Azure Arc Gateway only uses HTTP tunneling over HTTP/1 or HTTP/2 with Transport Layer Security (TLS) encryption.
The graphic shows you a simplified deployment of the components.
Why is Azure Arc Gateway useful?
In the past, Microsoft didn’t really care how many URLs you needed to whitelist in your firewall configuration. Or they relied on their partners like Fortinet, Checkpoint, and Palo Alto to integrate intelligent service-based policies to overcome excessive firewall and proxy configuration.
As more enterprise customers adopt Azure Arc, more services, and endpoint URLs, management becomes complex. So, Microsoft and several of its customers came to an agreement to find a solution to harmonize endpoint configuration and improve the experience for Azure Arc customers.
Personally, I would say that Azure Arc Gateway is useful for everyone. But with some complexity in deployment and potentially associated costs when it exits preview, the userbase can be reduced to the following:
- Enterprise customers who require additional Enterprise Proxy and Firewall solutions. Customers often work with large teams or service providers where requirement changes or configuration require resources to be assigned.
Often these customers have additional security requirements and want to reduce their overall proxy and firewall rule configuration complexity. Azure Arc Gateway is a improves the onboarding experience of resources to Azure Arc by saving time, reducing administrative effort, and permission to introduce changes or new Arc Services to the environment. - Hosting partners could benefit where either the customers are using Azure Arc or the partners are using it.
Organizations without filtering or proxy servers don’t need to use Azure Arc Gateway. This usually applies to smaller environments that don’t have additional security requirements or have branch networks connected via Software-Defined Wide Area Network (SDWAN), virtual private network (VPN) or the public Internet.
Limitations of Azure Arc Gateway
While Azure Arc Gateway is in preview, some scenarios are not supported or tested yet. The list below shows the currently not supported scenarios:
- TLS Terminating Proxies aren’t supported (Public Preview)
- ExpressRoute/Site-to-Site VPN or private endpoints used with the Arc gateway (Public Preview) isn’t supported.
- There’s a limit of five Arc gateway resources per Azure subscription.
- The Arc gateway can only be used for connectivity in the Azure public cloud.
Conclusion
To summarize what we learned today, Azure Arc Gateway is another useful tool in your Azure Arc and Hybrid deployment toolbox. It’s built to simplify firewall and proxy configuration for those customers who require more security and control over their outbound communications.
The deployment of the gateway is simple and can be achieved via Azure Portal, CLI or PowerShell.
Florian Fox is currently working as a Sr. Engineer FastTrack for Azure within the Azure Engineering at Microsoft Corp. He is a well-known expert when it comes to hybrid cloud scenarios, cloud connectivity, and cloud environment optimization. Before h...
