Overview of Arc-enabled System Center Virtual Machine Manager
Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) empowers System Center customers to connect their VMM environment to Azure and perform VM self-service operations from Azure portal. Azure Arc-enabled SCVMM extends the Azure control plane to SCVMM managed infrastructure, enabling the use of Azure security, governance, and management capabilities consistently across System Center managed estate and Azure.
Azure Arc-enabled System Center Virtual Machine Manager also allows you to manage your hybrid environment consistently and perform self-service VM operations through Azure portal. For Microsoft Azure Pack customers, this solution is intended as an alternative to perform VM self-service operations.
Arc-enabled System Center VMM allows you to:
- Perform various VM lifecycle operations such as start, stop, pause, and delete VMs on SCVMM managed VMs directly from Azure.
- Empower developers and application teams to self-serve VM operations on demand using Azure role-based access control (RBAC).
- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you with a single pane view for your infrastructure across both environments.
- Discover and onboard existing SCVMM managed VMs to Azure.
- Install the Arc-connected machine agents at scale on SCVMM VMs to govern, protect, configure, and monitor them.
Note
For more information regarding the different services Azure Arc offers, see Choosing the right Azure Arc service for machines.
Onboard resources to Azure management at scale
Azure services such as Microsoft Defender for Cloud, Azure Monitor, Azure Update Manager, and Azure Policy provide a rich set of capabilities to secure, monitor, patch, and govern off-Azure resources via Arc.
By using Arc-enabled SCVMM's capabilities to discover your SCVMM managed estate and install the Arc agent at scale, you can simplify onboarding your entire System Center estate to these services.
How does it work?
To Arc-enable a System Center VMM management server, deploy Azure Arc resource bridge in the VMM environment. Arc resource bridge is a virtual appliance that connects VMM management server to Azure. Azure Arc resource bridge enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and do various operations on them.
Architecture
The following image shows the architecture for the Arc-enabled SCVMM:
How is Arc-enabled SCVMM different from Arc-enabled Servers
- Azure Arc-enabled servers interact on the guest operating system level, with no awareness of the underlying infrastructure fabric and the virtualization platform that they're running on. Since Arc-enabled servers also support bare-metal machines, there might, in fact, not even be a host hypervisor in some cases.
- Azure Arc-enabled SCVMM is a superset of Arc-enabled servers that extends management capabilities beyond the guest operating system to the VM itself. This provides lifecycle management and CRUD (Create, Read, Update, and Delete) operations on an SCVMM VM. These lifecycle management capabilities are exposed in the Azure portal and look and feel just like a regular Azure VM. Azure Arc-enabled SCVMM also provides guest operating system management, in fact, it uses the same components as Azure Arc-enabled servers.
You have the flexibility to start with either option, or incorporate the other one later without any disruption. With both options, you'll enjoy the same consistent experience.
Supported scenarios
The following scenarios are supported in Azure Arc-enabled SCVMM:
- SCVMM administrators can connect a VMM instance to Azure and browse the SCVMM virtual machine inventory in Azure.
- Administrators can use the Azure portal to browse SCVMM inventory and register SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.
- Administrators can provide app teams/developers fine-grained permissions on those SCVMM resources through Azure RBAC.
- App teams can use Azure interfaces (portal, CLI, or REST API) to manage the lifecycle of on-premises VMs they use for deploying their applications (CRUD, Start/Stop/Restart).
- Administrators can install Arc agents on SCVMM VMs at-scale and install corresponding extensions to use Azure management services like Microsoft Defender for Cloud, Azure Update Manager, Azure Monitor, etc.
Note
Azure Arc-enabled SCVMM doesn't support VMware vCenter VMs managed by SCVMM. To onboard VMware VMs to Azure Arc, we recommend you to use Azure Arc-enabled VMware vSphere.
Supported VMM versions
Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15,000 VMs.
Supported regions
Azure Arc-enabled SCVMM is currently supported in the following regions:
- East US
- East US 2
- West US 2
- West US 3
- Central US
- South Central US
- UK South
- North Europe
- West Europe
- Sweden Central
- Southeast Asia
- Australia East
Resource bridge networking requirements
The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:
Outbound connectivity requirements
The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.
Firewall/Proxy URL allowlist
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download product catalog, product bits, and OS images from SFS. |
| Resource bridge (appliance) image download | 443 | msk8s.sb.tlu.dl.delivery.mp.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download the Arc Resource Bridge OS images. |
| Microsoft Container Registry | 443 | mcr.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Download container images for Arc Resource Bridge. |
| Windows NTP Server | 123 | time.windows.com |
Management machine & Appliance VM IPs (if Hyper-V default is Windows NTP) need outbound connection on UDP | OS time sync in appliance VM & Management machine (Windows NTP). |
| Azure Resource Manager | 443 | management.azure.com |
Management machine & Appliance VM IPs need outbound connection. | Manage resources in Azure. |
| Microsoft Graph | 443 | graph.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required for Azure RBAC. |
| Azure Resource Manager | 443 | login.microsoftonline.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | *.login.microsoft.com |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Azure Resource Manager | 443 | login.windows.net |
Management machine & Appliance VM IPs need outbound connection. | Required to update ARM tokens. |
| Resource bridge (appliance) Dataplane service | 443 | *.dp.prod.appliances.azure.com |
Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure. |
| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, ecpacr.azurecr.io |
Appliance VM IPs need outbound connection. | Required to pull container images. |
| Managed Identity | 443 | *.his.arc.azure.com |
Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. |
| Azure Arc for Kubernetes container image download | 443 | azurearcfork8s.azurecr.io |
Appliance VM IPs need outbound connection. | Pull container images. |
| Azure Arc agent | 443 | k8connecthelm.azureedge.net |
Appliance VM IPs need outbound connection. | deploy Azure Arc agent. |
| ADHS telemetry service | 443 | adhs.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data from appliance VM. |
| Microsoft events data service | 443 | v20.events.data.microsoft.com |
Appliance VM IPs need outbound connection. | Send diagnostic data from Windows. |
| Log collection for Arc Resource Bridge | 443 | linuxgeneva-microsoft.azurecr.io |
Appliance VM IPs need outbound connection. | Push logs for Appliance managed components. |
| Resource bridge components download | 443 | kvamanagementoperator.azurecr.io |
Appliance VM IPs need outbound connection. | Pull artifacts for Appliance managed components. |
| Microsoft open source packages manager | 443 | packages.microsoft.com |
Appliance VM IPs need outbound connection. | Download Linux installation package. |
| Custom Location | 443 | sts.windows.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Azure Arc | 443 | guestnotificationservice.azure.com |
Appliance VM IPs need outbound connection. | Required for Azure Arc. |
| Custom Location | 443 | k8sconnectcsp.azureedge.net |
Appliance VM IPs need outbound connection. | Required for Custom Location. |
| Diagnostic data | 443 | gcs.prod.monitoring.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.microsoftmetrics.com |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.hot.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Diagnostic data | 443 | *.prod.warm.ingest.monitor.core.windows.net |
Appliance VM IPs need outbound connection. | Periodically sends Microsoft required diagnostic data. |
| Azure portal | 443 | *.arc.azure.net |
Appliance VM IPs need outbound connection. | Manage cluster from Azure portal. |
| Azure CLI & Extension | 443 | *.blob.core.windows.net |
Management machine needs outbound connection. | Download Azure CLI Installer and extension. |
| Azure Arc Agent | 443 | *.dp.kubernetesconfiguration.azure.com |
Management machine needs outbound connection. | Dataplane used for Arc agent. |
| Python package | 443 | pypi.org, *.pypi.org |
Management machine needs outbound connection. | Validate Kubernetes and Python versions. |
| Azure CLI | 443 | pythonhosted.org, *.pythonhosted.org |
Management machine needs outbound connection. | Python packages for Azure CLI installation. |
Inbound connectivity requirements
Communication between the following ports must be allowed from the management machine, Appliance VM IPs, and Control Plane IPs. Ensure these ports are open and that traffic is not being routed through a proxy to facilitate the deployment and maintenance of Arc resource bridge.
| Service | Port | IP/machine | Direction | Notes |
|---|---|---|---|---|
| SSH | 22 | appliance VM IPs and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | appliance VM IPs and Management machine |
Bidirectional | Management of the appliance VM. |
| SSH | 22 | control plane IP and Management machine |
Bidirectional | Used for deploying and maintaining the appliance VM. |
| Kubernetes API server | 6443 | control plane IP and Management machine |
Bidirectional | Management of the appliance VM. |
| HTTPS | 443 | private cloud control plane address and Management machine |
Management machine needs outbound connection. | Communication with control plane (ex: VMware vCenter address). |
In addition, SCVMM requires the following exception:
| Service | Port | URL | Direction | Notes |
|---|---|---|---|---|
| SCVMM Management Server | 443 | URL of the SCVMM management server. | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
| WinRM | WinRM Port numbers (Default: 5985 and 5986). | URL of the WinRM service. | IPs in the IP Pool used by the Appliance VM and control plane need connection with the VMM server. | Used by the SCVMM server to communicate with the Appliance VM. |
Generally, connectivity requirements include these principles:
- All connections are TCP unless otherwise specified.
- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.
- All connections are outbound unless otherwise specified.
To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article.
For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see Azure Arc network requirements (Consolidated).
Data Residency
Azure Arc-enabled SCVMM doesn't store/process customer data outside the region the customer deploys the service instance in.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for