data/endpoints.json
|
{
"$schema": "https://raw.githubusercontent.com/smitzlroy/AksArc.DeploymentReadiness/main/data/endpoints-schema.json", "schemaVersion": "1.0", "metadata": { "sourceUrl": "https://github.com/Azure/AzureStack-Tools/tree/master/HCI/EastUSendpoints", "sourceRegion": "eastus", "lastUpdated": "2025-11-27", "sourceCommitSha": null, "moduleVersion": "0.1.0", "notes": "Consolidated endpoint reference for Azure Local + AKS Arc. Firewall requirements for AKS Arc have been consolidated with Azure Local firewall requirements per https://learn.microsoft.com/en-us/azure/aks/aksarc/network-system-requirements" }, "regionUrlPatterns": [ { "pattern": "{region}.his.arc.azure.com", "component": "Arc Hybrid Identity Service" }, { "pattern": "{region}.dp.kubernetesconfiguration.azure.com", "component": "Kubernetes Configuration Data Plane" }, { "pattern": "{region}.dp.prod.appliances.azure.com", "component": "Arc Appliance Data Plane" }, { "pattern": "{region}.monitoring.azure.com", "component": "Azure Monitor" }, { "pattern": "{region}.handler.control.monitor.azure.com", "component": "Azure Monitor Handler" } ], "endpoints": [ { "id": 1, "url": "mcr.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "AKS Arc infra", "notes": "Microsoft Container Registry - AKS Arc container images", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/v2/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 2, "url": "*.data.mcr.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "AKS Arc infra", "notes": "MCR data endpoint - container image layer downloads", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 3, "url": "azurearcfork8s.azurecr.io", "port": 443, "protocol": "HTTPS", "component": "AKS Arc infra", "notes": "Azure Arc for Kubernetes container images", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/v2/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 4, "url": "adhs.events.data.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "AKS Arc infra", "notes": "Azure Device Health Service telemetry", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 5, "url": "v20.events.data.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "AKS Arc infra", "notes": "Telemetry data upload endpoint", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 6, "url": "*.his.arc.azure.com", "port": 443, "protocol": "HTTPS", "component": "ARB infra", "notes": "Azure Arc Hybrid Identity Service", "arcGatewaySupported": true, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 7, "url": "*.dp.kubernetesconfiguration.azure.com", "port": 443, "protocol": "HTTPS", "component": "ARB infra", "notes": "Kubernetes configuration data plane", "arcGatewaySupported": true, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 8, "url": "ecpacr.azurecr.io", "port": 443, "protocol": "HTTPS", "component": "ARB infra", "notes": "Edge Container Platform container images", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/v2/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 9, "url": "kvamanagementoperator.azurecr.io", "port": 443, "protocol": "HTTPS", "component": "ARB infra", "notes": "KVA management operator container images", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/v2/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 10, "url": "aka.ms", "port": 443, "protocol": "HTTPS", "component": "Arc agent", "notes": "Microsoft URL shortener - agent installer download redirects", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 11, "url": "download.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "Arc agent", "notes": "Microsoft download center - agent packages", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 12, "url": "packages.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "Arc agent", "notes": "Microsoft Linux package repository", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 13, "url": "login.microsoftonline.com", "port": 443, "protocol": "HTTPS", "component": "Authentication", "notes": "Microsoft Entra ID authentication", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 14, "url": "login.windows.net", "port": 443, "protocol": "HTTPS", "component": "Authentication", "notes": "Microsoft Entra ID (legacy endpoint)", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 15, "url": "*.login.microsoftonline.com", "port": 443, "protocol": "HTTPS", "component": "Authentication", "notes": "Regional authentication endpoints", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 16, "url": "graph.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "Authentication", "notes": "Microsoft Graph API", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 17, "url": "management.azure.com", "port": 443, "protocol": "HTTPS", "component": "ARM", "notes": "Azure Resource Manager - all Azure control plane operations", "arcGatewaySupported": true, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "https_get", "testPath": "/", "expectedStatus": 200 }, "wildcard": false, "regionSpecific": false }, { "id": 18, "url": "*.dp.prod.appliances.azure.com", "port": 443, "protocol": "HTTPS", "component": "ARM", "notes": "Arc appliance data plane (ARB management)", "arcGatewaySupported": true, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 19, "url": "dc.services.visualstudio.com", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Application Insights data collector", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 20, "url": "*.ods.opinsights.azure.com", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Log Analytics data ingestion", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 21, "url": "*.oms.opinsights.azure.com", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Log Analytics operations management", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 22, "url": "*.monitoring.azure.com", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Azure Monitor metrics and logs", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 23, "url": "gcs.prod.monitoring.core.windows.net", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Geneva Monitoring - internal telemetry pipeline", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 24, "url": "*.windowsupdate.com", "port": 443, "protocol": "HTTPS", "component": "OS Servicing", "notes": "Windows Update content delivery", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 25, "url": "*.update.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "OS Servicing", "notes": "Microsoft Update metadata", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 26, "url": "*.dl.delivery.mp.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "OS Servicing", "notes": "Delivery Optimization download", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 27, "url": "*.servicebus.windows.net", "port": 443, "protocol": "HTTPS", "component": "Azure Local", "notes": "Azure Service Bus - registration and notifications", "arcGatewaySupported": true, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 28, "url": "*.waconazure.com", "port": 443, "protocol": "HTTPS", "component": "Azure Local", "notes": "Windows Admin Center in Azure - remote management", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 29, "url": "*.blob.core.windows.net", "port": 443, "protocol": "HTTPS", "component": "Azure Local", "notes": "Azure Blob Storage - update payloads, extension packages, cloud witness", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 30, "url": "*.table.core.windows.net", "port": 443, "protocol": "HTTPS", "component": "Azure Local", "notes": "Azure Table Storage - diagnostics and configuration data", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 31, "url": "*.digicert.com", "port": 443, "protocol": "HTTPS", "component": "Certificate Validation", "notes": "DigiCert CRL and OCSP - certificate validation", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 32, "url": "crl.microsoft.com", "port": 80, "protocol": "HTTP", "component": "Certificate Validation", "notes": "Microsoft CRL distribution point", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 33, "url": "crl3.digicert.com", "port": 80, "protocol": "HTTP", "component": "Certificate Validation", "notes": "DigiCert CRL distribution point", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 34, "url": "crl4.digicert.com", "port": 80, "protocol": "HTTP", "component": "Certificate Validation", "notes": "DigiCert CRL distribution point (alternate)", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 35, "url": "ocsp.digicert.com", "port": 80, "protocol": "HTTP", "component": "Certificate Validation", "notes": "DigiCert OCSP responder", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 36, "url": "www.microsoft.com/pkiops", "port": 443, "protocol": "HTTPS", "component": "Certificate Validation", "notes": "Microsoft PKI operations - certificate and CRL hosting", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 37, "url": "*.guestconfiguration.azure.com", "port": 443, "protocol": "HTTPS", "component": "Arc Extensions", "notes": "Guest configuration policy - Azure Policy for Arc", "arcGatewaySupported": true, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 38, "url": "*.guestnotificationservice.azure.com", "port": 443, "protocol": "HTTPS", "component": "Arc Extensions", "notes": "Guest notification service - extension push notifications", "arcGatewaySupported": true, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 39, "url": "*.dp.kubernetesconfiguration.azure.com", "port": 443, "protocol": "HTTPS", "component": "Arc Extensions", "notes": "Kubernetes configuration data plane - Flux, GitOps", "arcGatewaySupported": true, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 40, "url": "*.vault.azure.net", "port": 443, "protocol": "HTTPS", "component": "Key Vault", "notes": "Azure Key Vault - secrets, keys, certificates used during deployment", "arcGatewaySupported": false, "requiredFor": "deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": true }, { "id": 41, "url": "settings-win.data.microsoft.com", "port": 443, "protocol": "HTTPS", "component": "OS Servicing", "notes": "Windows settings and feature flags", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 42, "url": "*.prod.hot.ingestion.msftcloudes.com", "port": 443, "protocol": "HTTPS", "component": "Monitoring", "notes": "Hot path telemetry ingestion", "arcGatewaySupported": false, "requiredFor": "post-deployment", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 43, "url": "azureedge.net", "port": 443, "protocol": "HTTPS", "component": "CDN", "notes": "Azure CDN - extension packages, agent binaries, update payloads", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "tcp_connect", "testPath": null, "expectedStatus": "connected" }, "wildcard": false, "regionSpecific": false }, { "id": 44, "url": "*.azureedge.net", "port": 443, "protocol": "HTTPS", "component": "CDN", "notes": "Azure CDN wildcard - various content delivery", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "dns_resolve", "testPath": null, "expectedStatus": "resolved" }, "wildcard": true, "regionSpecific": false }, { "id": 45, "url": "time.windows.com", "port": 123, "protocol": "UDP", "component": "OS Servicing", "notes": "Windows NTP - cluster time synchronization (critical for Kerberos/certs)", "arcGatewaySupported": false, "requiredFor": "both", "networkOrigin": "management", "validation": { "method": "manual", "testPath": null, "expectedStatus": "manual" }, "wildcard": false, "regionSpecific": false } ], "crossSubnetPorts": [ { "port": 22, "protocol": "TCP", "direction": "bidirectional", "purpose": "SSH access between management nodes and AKS node VMs" }, { "port": 443, "protocol": "TCP", "direction": "aks-to-infra", "purpose": "HTTPS - API and webhook traffic" }, { "port": 6443, "protocol": "TCP", "direction": "bidirectional", "purpose": "Kubernetes API server" }, { "port": 9440, "protocol": "TCP", "direction": "bidirectional", "purpose": "MOC cloud agent - AKS Arc lifecycle management" }, { "port": 40343, "protocol": "TCP", "direction": "aks-to-infra", "purpose": "Arc Gateway proxy traffic (when Arc Gateway enabled)" }, { "port": 55000, "protocol": "TCP", "direction": "bidirectional", "purpose": "Cloud agent gRPC communication" }, { "port": 65000, "protocol": "TCP", "direction": "bidirectional", "purpose": "Cloud agent authentication" } ] } |