Azure Local Outbound Connectivity

Comprehensive Guide to Public Path vs Private Path Architectures

What You'll Learn

Architecture Components: Understanding core components including Azure Local machines, Arc Gateway, proxies, and networking infrastructure
Traffic Categorization: Distinguishing between different types of network traffic and their routing paths
Configuration Steps: Setting up proxies, firewall rules, and Arc Gateway registration
Best Practices: When to use each architecture based on your requirements

Key Benefits of Arc Gateway

🔒

Better Security

Fewer open connections reduce the potential attack surface. Reduce firewall rules from hundreds to fewer than 30 endpoints.

⚙️

Easier Setup

Leverage your existing network and security infrastructure while the Arc Gateway manages Azure connectivity.

📊

Simpler Management

Fewer endpoints to manage means easier tracking and troubleshooting.

Architecture Comparison

Azure Local supports two primary outbound connectivity models. Arc Gateway is recommended to simplify and secure connectivity, but the key difference is how traffic reaches Azure services.

🌐 Public Path

4 Options

Traffic routes to Azure via public internet. Multiple configuration options available:

Option 1: No Proxy, No Arc Gateway - How to register nodes in Arc ↗
Option 2: Proxy, No Arc Gateway - How to register nodes in Arc ↗
Option 3: No Proxy, Arc Gateway - How to register nodes in Arc ↗
Option 4: Proxy + Arc Gateway - How to register nodes in Arc ↗

🔐 Private Path

Enhanced Security

Traffic routes through Arc Gateway via ExpressRoute or Site-to-Site VPN.

Azure Firewall Explicit Proxy
No public internet exposure
Private connectivity to Azure

Detailed Comparison

Aspect	Public Path	Private Path
Internet Exposure	Required (outbound)	None
Primary Connectivity	Public endpoints via Arc Gateway	ExpressRoute or Site-to-Site VPN
Enterprise Proxy Location	On-premises (optional)	Azure Firewall Explicit Proxy (in Azure)
Firewall Location	On-premises firewall	Azure Firewall (in Azure VNET)
Arc Gateway	✅ Optional (recommended)	✅ Yes
Cluster IP:40343	✅ For ARB/AKS	✅ For ARB/AKS
Private Endpoints	✅ Supported	✅ Supported
� Arc Private Link	❌	❌
🔐 Key Vault	✅	✅
💾 Storage (Blob)	✅	✅
📦 Azure Container Registry	✅	✅
🔄 Azure Site Recovery	✅	✅
🗄️ Recovery Services Vault (Backup)	✅	✅
🗃️ SQL Managed Instance	✅	✅
🛡️ Microsoft Defender for Cloud	✅	✅
TLS Inspection	❌ Not supported	❌ Not supported
Setup Complexity	Lower	Higher
Cost	Lower	Higher (ExpressRoute + Azure Firewall)

📌 Important Note on Private Endpoints

Private Endpoints (Private Link) are architecture-agnostic. They work identically in both Public Path and Private Path architectures. The configuration is the same - you add Private Link endpoints to the proxy bypass list so traffic goes directly to them.

Components Overview

🌐 Public Path

Traffic routed through the Arc Gateway to Azure services via the public internet. Your on-premises enterprise proxy and firewall control the traffic flow.

🔐 Private Path

Traffic routed securely through private connections (ExpressRoute or Site-to-Site VPN) to Azure, eliminating public internet exposure.

                🔐 What Makes Private Path "Private"
                Azure Firewall Explicit Proxy is the enterprise proxy (hosted in Azure, not on-prem)
Arc Gateway routes through private connection (ExpressRoute/VPN)
No public internet exposure for Azure Local traffic
Unified private connectivity — combine private endpoints for Azure PaaS services (Storage, Key Vault, etc.) with fully private Arc and Entra traffic over ExpressRoute

            

                🌐 What Makes Public Path "Public"
                On-premises Enterprise Proxy handles all outbound traffic from Azure Local
Arc Gateway routes through the public internet to Azure services
Enterprise firewall controls and inspects traffic before leaving your network
Hybrid private endpoints — while Arc and Entra traffic uses public internet, you can still use private endpoints for Azure PaaS services (Storage, Key Vault) if you have ExpressRoute or Site-to-Site VPN connectivity

            

When to Use Each Architecture

Choose Public Path When:

✅ You have reliable internet connectivity
✅ You already have on-premises proxy/firewall infrastructure
✅ Public internet egress is acceptable per your security policies
✅ Simpler initial setup is preferred
✅ Cost optimization (no ExpressRoute/VPN required)

Choose Private Path When:

✅ Zero public internet exposure is required
✅ Regulatory/compliance requirements mandate private connectivity
✅ You already have ExpressRoute or Site-to-Site VPN
✅ Centralized Azure-based security management is preferred
✅ High-security environments (government, healthcare, financial)

Summary

Both architectures can leverage the Arc Gateway to reduce firewall rules from hundreds to fewer than 30 endpoints. The key differentiator is:

Public Path: Uses on-premises proxy/firewall with public internet egress
Private Path: Uses Azure Firewall Explicit Proxy with ExpressRoute/VPN (no public internet)

Private Endpoints are configured identically in both architectures - they're architecture-agnostic.

Private Endpoints Usage Across Deployment Scenarios

Azure Local supports multiple deployment scenarios with varying proxy and Arc Gateway configurations. Private Endpoints (Private Link) work across all scenarios but require proper proxy bypass configuration.

🌐 Public Path - 4 Options

When using public internet for Azure connectivity, you have four deployment options:

No Proxy, No Arc Gateway

Direct connection to Azure through firewall only. Requires opening all Azure endpoints in firewall.

Key Characteristics:

Proxy: None
Arc Gateway: Not used
Connectivity: Direct to public internet
Firewall Rules: Hundreds of endpoints required

✅ Simplest setup

No proxy configuration needed

❌ Most firewall rules

Hundreds of endpoints to manage

Proxy, No Arc Gateway

Traffic routes through enterprise proxy. Proxy handles URL filtering and logging.

Key Characteristics:

Proxy: On-premises enterprise proxy
Arc Gateway: Not used
Connectivity: Through proxy to public internet
Firewall Rules: Many endpoints required

✅ Centralized control

Proxy provides visibility and filtering

❌ Many endpoints

Still requires many firewall/proxy rules

No Proxy, Arc Gateway

Arc Gateway handles Azure connectivity. Reduces firewall rules to fewer than 30 endpoints.

Key Characteristics:

Proxy: None
Arc Gateway: Handles HTTPS traffic to Azure
Connectivity: Arc Gateway to public internet
Firewall Rules: Fewer than 30 endpoints

✅ Simplified rules

Fewer than 30 endpoints needed

❌ No HTTP proxy

HTTP traffic goes direct to firewall

Proxy with Arc Gateway

Best of both worlds: Arc Gateway for HTTPS to Azure, enterprise proxy for HTTP and third-party traffic.

Key Characteristics:

Proxy: On-premises enterprise proxy
Arc Gateway: Handles HTTPS traffic to Azure
Connectivity: Arc Gateway + Proxy to public internet
Firewall Rules: Fewer than 30 endpoints

✅ Best security

Minimal rules + proxy control

✅ Full visibility

All traffic is managed

🔐 Private Path - 1 Option

When using ExpressRoute/VPN for private Azure connectivity, there is only one supported configuration:

★

Azure Firewall Explicit Proxy + Arc Gateway

Only Option

All traffic routes through ExpressRoute/VPN to Azure Firewall Explicit Proxy, with Arc Gateway providing the secure tunnel to Azure services.

Key Characteristics:

Proxy: Azure Firewall Explicit Proxy (in Azure VNET)
Arc Gateway: Required for HTTPS traffic to Azure
Connectivity: ExpressRoute or Site-to-Site VPN
Internet: No public internet exposure

✅ Maximum security

No public internet exposure

✅ Centralized management

Azure Firewall policies

✅ Compliance ready

Meets strict regulatory requirements

⚠️ Why Only One Option?

The Private Path architecture requires:

Azure Firewall Explicit Proxy - to serve as the enterprise proxy hosted in Azure
Arc Gateway - to create secure tunnels for HTTPS traffic
ExpressRoute/VPN - to provide private connectivity

Any variation from this architecture is not validated or supported by Microsoft.

Private Endpoints Configuration

Regardless of which scenario you choose, Private Endpoints (Private Link) are configured the same way:

Add Private Link endpoint FQDNs to the proxy bypass list
Configure DNS to resolve Private Link FQDNs to private IPs
Traffic flows directly to Private Endpoints without going through proxy or Arc Gateway

Private Endpoints by Service Type

Each Azure service has specific requirements when configuring Private Endpoints with Azure Local:

🔐

Azure Key Vault

vault.azure.net

Azure Local requires a Key Vault for deployment. Azure Portal and HCI Resource Provider configure secrets during deployment.

⚠️ During Deployment:

Keep public access enabled until initial deployment is complete.

✅ After Deployment:

Restrict access to private networks only. Other customer Key Vaults for workloads can be fully private from the start.

💾

Azure Storage (Blob)

blob.core.windows.net

Required for 2-node deployments as cloud witness. Azure Portal and HCI RP configure the cloud witness during deployment.

⚠️ During Deployment:

Keep public access enabled until initial deployment is complete.

✅ After Deployment:

Restrict access to private networks only.

💡 Optional:

If your security team requires source IP validation on the private endpoint, add the storage endpoint to the proxy bypass list so traffic goes directly to your firewall instead of through Arc Gateway tunnel.

📦

Azure Container Registry (ACR)

azurecr.io

Crucial for AKS image pulls. Customers commonly pull container images for AKS workloads from private ACR endpoints.

🚫 No Wildcards:

*.azurecr.io is NOT supported in the bypass list. ARB VM uses specific ACR endpoints and the bypass list applies to both ARB and AKS.

✅ Required:

Add specific ACR FQDNs to the proxy bypass list before deployment. This is particularly important when AKS clusters run on their own LNET and you want ACR traffic to go directly from AKS subnet to firewall.

🔄

Azure Site Recovery (ASR)

privatelink.siterecovery.windowsazure.com

ASR private endpoint FQDNs are not allowed by Arc Gateway. Traffic must follow one of two outbound paths:

Option 1: Via Enterprise Proxy

Do not add FQDNs to proxy bypass list. Traffic will be rejected by Arc proxy, retry via enterprise proxy.

⚠️ Requirement: SSL inspection must be disabled on the enterprise proxy for ASR endpoints.

Option 2: Via Proxy Bypass (Recommended)

Add ASR FQDNs to proxy bypass list. Traffic goes directly to firewall, then to private endpoint via ExpressRoute/VPN.

✅ Recommended: Simpler configuration, no SSL inspection concerns.

📖 Reference

See Enable replication for private endpoints in Azure Site Recovery for detailed configuration.

Private Endpoints Routing by Scenario

Scenario	PE Outbound Path	Arc Private Link	Key Requirements
1. No Proxy, No Arc GW	Direct → ExpressRoute/VPN	❌ Not Supported	Configure routing and DNS; no proxy bypass needed
2. Proxy, No Arc GW	Proxy bypassed → ExpressRoute/VPN	❌ Not Supported	Add PE FQDNs to proxy bypass list
3. No Proxy, Arc GW	Cluster IP proxy bypassed → ExpressRoute/VPN	❌ Not Supported	Add PE FQDNs to Environment Variables bypass after Arc registration
4. Proxy, Arc GW	Proxy bypassed → ExpressRoute/VPN	❌ Not Supported	Add PE FQDNs to proxy bypass list during Arc registration

Reserved Subnets: ARB & AKS

The Arc Resource Bridge (ARB) VM reserves specific IP ranges for internal Kubernetes operations. Never use these ranges for your private endpoint networks — traffic will fail to route correctly.

⚠️ Critical: Avoid IP Overlaps

If your private endpoint network uses IPs within these reserved ranges, traffic will fail because ARB/AKS treat them as internal addresses.

ARB Reserved IP Ranges

Service Component	Designated IP Range	IP Address Range
Arc Resource Bridge Kubernetes Pods	`10.244.0.0/16`	10.244.0.1 to 10.244.255.254
Arc Resource Bridge Kubernetes Services	`10.96.0.0/12`	10.96.0.1 to 10.111.255.254

IP Overlap Scenario Example

❌ Internal Conflict (FAIL)

Endpoint IP: 10.244.1.4

Inside reserved pod range (10.244.0.0/16)

AKS treats this as internal traffic. Traffic never leaves the VNET — routing fails.

✅ Correct Routing (SUCCESS)

Endpoint IP: 10.245.0.5

Outside reserved pod range

AKS resolves as external traffic. Traffic routes correctly to Private Endpoint.

Best Practices for Private Endpoint Networks

🔍
Verify your Private Endpoint VNETs
Before deploying, ensure your private endpoint networks do NOT overlap with 10.244.0.0/16 or 10.96.0.0/12
📋
Use non-conflicting address spaces
Recommended: Use address ranges like 10.0.0.0/16, 10.1.0.0/16, 172.16.0.0/16 for private endpoints
🧪
Test connectivity before production
Validate private endpoint routing from ARB and AKS workloads in a test environment

Traffic Flow Comparison: Public vs Private Path

Compare how traffic flows through each architecture side-by-side. Both paths handle the same traffic categories but route them differently.

Step 1: Bypass Traffic (Direct Communications)

Traffic that bypasses proxy entirely for internal communications and Private Link endpoints.

🌐 Public Path

Internal intranet communications
Node-to-node communications
Private Link endpoints

🔐 Private Path

Internal intranet communications
Node-to-node communications
Private Link endpoints (via ExpressRoute)

Step 2: HTTP Traffic via Proxy

HTTP traffic that cannot use Arc proxy is routed through enterprise proxy/firewall.

🌐 Public Path

Node → On-premises proxy/firewall
Proxy → Public internet → Azure

🔐 Private Path

Node → Customer Firewall
→ ExpressRoute → Azure Firewall Explicit Proxy

Step 3: HTTPS Traffic via Arc Proxy

HTTPS traffic destined for Azure endpoints is routed through the Arc proxy to Arc Gateway.

🌐 Public Path

Node → Arc Proxy → On-prem Firewall
→ Public Internet → Arc Gateway → Azure

🔐 Private Path

Node → Arc Proxy → Customer Firewall
→ ExpressRoute → Azure Firewall → Arc Gateway → Azure

Step 4: Azure Resource Bridge (ARB) VM via Cluster IP

ARB VM uses Cluster IP as its proxy endpoint to route traffic through Arc Gateway.

🌐 Public Path

ARB VM → Cluster IP:40343
→ Arc Gateway → Public Internet → Azure

🔐 Private Path

ARB VM → Cluster IP:40343
→ ExpressRoute → Arc Gateway → Azure

Step 5: AKS Clusters via Cluster IP Proxy

AKS Control Plane VMs, Worker VMs, and Pods route traffic through Cluster IP proxy.

🌐 Public Path

AKS VMs/Pods → Cluster IP:40343
→ Arc Gateway → Public Internet → Azure

🔐 Private Path

AKS VMs/Pods → Cluster IP:40343
→ ExpressRoute → Arc Gateway → Azure

Step 6: Azure Local VMs via Dedicated Arc Proxy

Each Azure Local VM uses its own dedicated Arc proxy for HTTPS traffic.

🌐 Public Path

VM → Dedicated Arc Proxy
→ Arc Gateway → Public Internet → Azure

🔐 Private Path

VM → Dedicated Arc Proxy
→ ExpressRoute → Arc Gateway → Azure

Key Routing Differences

Comparing the most complete configurations from each path: Public Path Option 4 (Proxy + Arc Gateway) vs Private Path (Azure FW Explicit Proxy + Arc Gateway)

🌐 Public Path Routes

Option 4: On-prem Proxy + Arc Gateway

Bypass Traffic

Direct to internal services

HTTP Traffic

On-prem proxy → Corporate FW → Public internet

HTTPS Traffic

Arc Proxy → Corporate FW → Public internet → Arc Gateway

ARB/AKS Traffic

Cluster IP → Arc Proxy → Corporate FW → Public internet → Arc Gateway

🔐 Private Path Routes

Azure FW Explicit Proxy + Arc Gateway

Bypass Traffic

Direct to internal services

HTTP Traffic

On-prem host → Corporate FW → ExpressRoute → Azure FW Explicit Proxy

HTTPS Traffic

Arc Proxy → ExpressRoute → Azure FW → Arc Gateway

ARB/AKS Traffic

Cluster IP → Arc Proxy → ExpressRoute → Arc Gateway

Traffic Categories

Network traffic is categorized based on how it should be routed. These categories apply to both Public and Private Path architectures.

🟦

Bypass Traffic

HTTP/HTTPS that must bypass proxy entirely.

Internal intranet communications
Node-to-node communications
Internal management systems
Private Link endpoints (Key Vault, Storage)

🟨

HTTP Traffic

HTTP traffic incompatible with Arc proxy.

Routes through enterprise proxy
Public Path: On-premises proxy
Private Path: Azure Firewall Explicit Proxy

🟩

HTTPS via Arc Proxy

HTTPS always routed through Arc proxy.

Microsoft-managed endpoints
Secure HTTPS tunnel to Arc Gateway
Built-in security and management

🟥

Third-party HTTPS

HTTPS not permitted through Arc Gateway.

OEM endpoints
Hardware vendor updates
Third-party agents
Redirected to firewall/proxy

📘

ARB/AKS via Cluster IP

Arc Resource Bridge and AKS traffic.

Uses Cluster IP:40343 as proxy
Routes through Arc proxy running on the host
Control plane and pods

AKS Clusters on Separated Subnet

When AKS clusters run on a separated subnet from the Azure Local infrastructure subnet, additional firewall rules are required.

🌐 Public Path

🔐 Private Path

Firewall Requirements

Traffic between AKS subnet and Azure Local Infrastructure subnet

Port	Protocol	Direction	Purpose
40343	HTTPS/HTTP Connect	AKS → Cluster IP	Arc Gateway proxy (L4 and L7)
55000	TCP	AKS → Cluster IP	Communication
65000	TCP	AKS → Cluster IP	Communication
22	TCP	Bidirectional	SSH
6443	TCP	Bidirectional	Kubernetes API

📌 Additional FQDN Endpoints

Although Arc Gateway reduces the HTTPS endpoints required, you must still allow access to endpoints not supported by Arc Gateway. Refer to the AKS subnet required FQDN endpoints documentation.

Configuration

Proxy Bypass Requirements

When defining your proxy bypass string for Arc initialization or the Companion App, include:

✅ Required Bypass Entries

IP address of each Azure Local machine
Cluster IP address
Infrastructure network IPs (ARB, AKS, future services)
Or bypass the entire infrastructure subnet
NetBIOS name of each machine
NetBIOS name of the Cluster
Domain name with asterisk wildcard (e.g., *.contoso.com)
Subnet wildcards (e.g., 192.168.1.*)
Private Link endpoints (Key Vault, Storage, etc.)

❌ Not Supported

CIDR notation for subnets
<local> strings in bypass list
.local domain for proxy server name

Example Bypass String

# Bypass list format (comma-separated)
192.168.1.10,192.168.1.11,192.168.1.12,   # Node IPs
192.168.1.100,                              # Cluster IP
192.168.1.*,                                # Infrastructure subnet
NODE1,NODE2,NODE3,                          # NetBIOS names
CLUSTER01,                                  # Cluster NetBIOS
*.contoso.com,                              # Domain wildcard
keyvault.vault.azure.net,                   # Private Link endpoints
storageaccount.blob.core.windows.net

Registration Script Examples

Use these PowerShell scripts to register Azure Local nodes with Azure Arc. Run on each node as local administrator.

📜 Option 1: No Proxy, No Arc Gateway

Simplest configuration - direct connection to Azure through firewall only.

📖 Full Documentation ↗

Set Parameters

# Define tenant and subscription
$Tenant = "YourTenantID"
$Subscription = "YourSubscriptionID"
$RG = "YourResourceGroupName"
$Region = "eastus"  # Do not use spaces or capital letters

Run Registration Script

# Invoke registration (no proxy, no Arc Gateway)
Invoke-AzStackHciArcInitialization `
    -TenantId $Tenant `
    -SubscriptionID $Subscription `
    -ResourceGroup $RG `
    -Region $Region `
    -Cloud "AzureCloud"

📜 Option 2: Proxy, No Arc Gateway

Traffic routes through enterprise proxy. Proxy handles URL filtering and logging.

📖 Full Documentation ↗

Set Parameters

# Define tenant and subscription
$Tenant = "YourTenantID"
$Subscription = "YourSubscriptionID"
$RG = "YourResourceGroupName"
$Region = "eastus"  # Do not use spaces or capital letters

# Define proxy server address
$ProxyServer = "http://proxyaddress:port"

# Define bypass list (comma-separated)
# Use "localhost" instead of <local>
# Use * for subnets: 192.168.1.* for /24, 192.168.*.* for /16
# Append * for domains: *.contoso.com
# Include: Node IPs, Cluster IP, Infrastructure IPs, NetBIOS names, Private Endpoints
$ProxyBypassList = "localhost,127.0.0.1,*.contoso.com,machine1,machine2,machine3,192.168.*.*,AzureLocal-1,mykeyvault.vault.azure.net,mystorageaccount.blob.core.windows.net,mystorageaccount.file.core.windows.net"

Run Registration Script

# Invoke registration (with proxy, no Arc Gateway)
Invoke-AzStackHciArcInitialization `
    -TenantId $Tenant `
    -SubscriptionID $Subscription `
    -ResourceGroup $RG `
    -Region $Region `
    -Cloud "AzureCloud" `
    -Proxy $ProxyServer `
    -ProxyBypass $ProxyBypassList

📜 Option 3: No Proxy, Arc Gateway

Arc Gateway handles Azure connectivity. Reduces firewall rules to fewer than 30 endpoints.

📖 Full Documentation ↗

Step 1: Get Arc Gateway ID from Azure Portal

# In Azure Portal:
# 1. Go to your Arc gateway resource
# 2. On the Overview page, copy the Resource ID
# Format: /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.HybridCompute/gateways/{name}

Step 2: Set Parameters

# Define tenant and subscription
$Tenant = "YourTenantID"
$Subscription = "YourSubscriptionID"
$RG = "YourResourceGroupName"
$Region = "eastus"  # Do not use spaces or capital letters

# Define Arc Gateway Resource ID from Azure Portal
$ArcgwId = "/subscriptions/yourSubscriptionId/resourceGroups/yourResourceGroupName/providers/Microsoft.HybridCompute/gateways/yourArcGatewayName"

Step 3: Run Registration Script

# Invoke registration (no proxy, with Arc Gateway)
Invoke-AzStackHciArcInitialization `
    -TenantID $Tenant `
    -SubscriptionID $Subscription `
    -ResourceGroup $RG `
    -Region $Region `
    -Cloud "AzureCloud" `
    -ArcGatewayID $ArcgwId

📜 Option 4: Proxy + Arc Gateway

Best of both worlds: Arc Gateway for HTTPS to Azure, enterprise proxy for HTTP and third-party traffic.

📖 Full Documentation ↗

Step 1: Get Arc Gateway ID from Azure Portal

# In Azure Portal:
# 1. Go to your Arc gateway resource
# 2. On the Overview page, copy the Resource ID
# Format: /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.HybridCompute/gateways/{name}

Step 2: Set Parameters

# Define tenant and subscription
$Tenant = "YourTenantID"
$Subscription = "YourSubscriptionID"
$RG = "YourResourceGroupName"
$Region = "eastus"  # Do not use spaces or capital letters

# Define proxy server address
$ProxyServer = "http://proxyaddress:port"

# Define bypass list (comma-separated)
# Use "localhost" instead of <local>
# Use * for subnets: 192.168.1.* for /24, 192.168.*.* for /16
# Append * for domains: *.contoso.com
# Include: Node IPs, Cluster IP, Infrastructure IPs, NetBIOS names, Private Endpoints
$ProxyBypassList = "localhost,127.0.0.1,*.contoso.com,machine1,machine2,machine3,192.168.*.*,AzureLocal-1,mykeyvault.vault.azure.net,mystorageaccount.blob.core.windows.net,mystorageaccount.file.core.windows.net"

# Define Arc Gateway Resource ID from Azure Portal
$ArcgwId = "/subscriptions/yourSubscriptionId/resourceGroups/yourResourceGroupName/providers/Microsoft.HybridCompute/gateways/yourArcGatewayName"

Step 3: Run Registration Script

# Invoke registration (with proxy and Arc Gateway)
Invoke-AzStackHciArcInitialization `
    -TenantID $Tenant `
    -SubscriptionID $Subscription `
    -ResourceGroup $RG `
    -Region $Region `
    -Cloud "AzureCloud" `
    -Proxy $ProxyServer `
    -ArcGatewayID $ArcgwId `
    -ProxyBypass $ProxyBypassList

✅ Verify Registration

After registration completes, verify the setup:

Check Arc Agent Status

# Check Arc agent configuration
& "C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe" show

# Expected values:
# - Agent Status: Connected
# - Using HTTPS Proxy: http://localhost:40343 (when Arc Gateway enabled)
# - Upstream Proxy: Your enterprise proxy (if configured)
# - Azure Arc Proxy: Running (when Arc Gateway enabled)

# Verify connectivity
& "C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe" check

# All URLs should show Reachable: true
# Connection.type should be "gateway" when Arc Gateway is enabled

💡 Important Notes

Run these scripts as local administrator on each Azure Local node
During registration, you'll need to authenticate with your Azure account using a device code
If using an OEM pre-installed image, an automatic update may trigger (40-45 minutes) - rerun the script after reboot
Arc Gateway log location: C:\ProgramData\AzureConnectedMachineAgent\Log\arcproxy.log